tag:blogger.com,1999:blog-3835490072282209412018-03-18T23:17:40.843-07:00lcamtuf's blogMichal Zalewskinoreply@blogger.comBlogger113125tag:blogger.com,1999:blog-383549007228220941.post-44581083282628201742018-03-03T10:54:00.001-08:002018-03-03T12:06:34.109-08:00Setting up bug bounties for success<p>
Bug bounties end up in the news with some regularity, usually for the wrong reasons. I've been itching to write
about that for a while - but instead of dwelling on the mistakes of the bygone days, I figured it may be better to
talk about some of the ways to get vulnerability rewards right.
</p>
<h4>What do you get out of bug bounties?</h4>
<p>
There's plenty of differing views, but I like to think of such programs
simply as a bid on researchers' time. In the most basic sense, you get three benefits:
</p>
<ul>
<li> Improved ability to detect bugs in production before they become major incidents.
<li> A comparatively unbiased feedback loop to help you prioritize and measure other security work.
<li> A robust talent pipeline for when you need to hire.
</ul>
<h4>What bug bounties don't offer?</h4>
<p>
You don't get anything resembling a comprehensive security program or a systematic assessment of your platforms.
Researchers end up looking for bugs that offer favorable effort-to-payoff ratios for their skills and given the
very imperfect information they have about your enterprise. In other words, you may end up with a hundred
people looking for XSS and just one person looking for RCE.
</p>
<p>
Your reward structure can steer them toward the targets and bugs you care about, but it's difficult to fully
eliminate this inherent skew. There's only so far you can jack up your top-tier rewards, and only so far you can
go lowering the bottom-tier ones.
</p>
<h4>Don't you have to outcompete the black market to get all the "good" bugs?</h4>
<p>
There is a free market price discovery component to it all: if you're not getting the engagement you
were hoping for, you should probably consider paying more.
</p>
<p>
That said, there are going to be researchers who'd rather hurt you than work for you, no matter how much you pay;
you don't have to win them over, and you don't have to outspend every authoritarian government or
every crime syndicate. A bug bounty is effective simply if it attracts enough eyeballs to make bugs statistically
harder to find, and reduces the useful lifespan of any zero-days in black market trade. Plus, most
researchers don't want their work to be used to crack down on dissidents in Egypt or Vietnam.
</p>
<p>
Another factor is that you're paying for different things: a black market buyer probably wants a reliable exploit
capable of delivering payloads, and then demands silence for months or years to come; a vendor-run
bug bounty program is usually perfectly happy with a reproducible crash and doesn't mind a researcher blogging
about their work.
</p>
<p>
In fact, while money is important, you will probably find out that it's not enough to retain your top talent;
many folks want bug bounties to be more than a business transaction, and find a lot of value in having a close
relationship with your security team, comparing notes, and growing together. Fostering that partnership can
be more important than adding another $10,000 to your top reward.
</p>
<h4>How do I prevent it all from going horribly wrong?</h4>
<p>
Bug bounties are an unfamiliar beast to most lawyers and PR folks, so it's a natural to be wary and try to plan
for every eventuality with pages and pages of impenetrable rules and fine-print legalese.
</p>
<p>
This is generally unnecessary: there is a strong self-selection bias, and almost every participant in a
vulnerability reward program will be coming to you in good faith. The more friendly, forthcoming, and
approachable you seem, and the more you treat them like peers, the more likely it is for your relationship to stay
positive. On the flip side, there is no faster way to make enemies than to make a security researcher feel that they
are now talking to a lawyer or to the PR dept.
</p>
<p>
Most people have strong opinions on disclosure policies; instead of imposing your own views, strive to patch reported bugs
reasonably quickly, and almost every reporter will play along. Demand researchers to cancel conference appearances,
take down blog posts, or sign NDAs, and you will sooner or later end up in the news.
</p>
<h4>But what if that's not enough?</h4>
<p>
As with any business endeavor, mistakes will happen; total risk avoidance is seldom the answer. Learn to sincerely
apologize for mishaps; it's not a sign of weakness to say "sorry, we messed up". And you will almost certainly not end
up in the courtroom for doing so.
</p>
<p>
It's good to foster a healthy and productive relationship with the community, so that they come to your defense when
something goes wrong. Encouraging people to disclose bugs and talk about their experiences is one way of accomplishing that.
</p>
<h4>What about extortion?</h4>
<p>
You should structure your program to naturally discourage bad behavior and make it stand out like a sore thumb.
Require bona fide reports with complete technical details before any reward decision is made by a panel of named peers;
and make it clear that you never demand non-disclosure as a condition of getting a reward.
</p>
<p>
To avoid researchers accidentally putting themselves in awkward situations, have clear rules around data exfiltration
and lateral movement: assure them that you will always pay based on the worst-case impact of their findings; in exchange,
ask them to stop as soon as they get a shell and never access any data that isn't their own.
</p>
<h4>So... are there any downsides?</h4>
<p>
Yep. Other than souring up your relationship with the community if you implement your program wrong, the other consideration
is that bug bounties tend to generate a lot of noise from well-meaning but less-skilled researchers.
</p>
<p>
When this happens, do not get frustrated and do not penalize such participants; instead, help them grow. Consider
publishing educational articles, giving advice on how to investigate and structure reports, or
offering free workshops every now and then.
</p>
<p>
The other downside is cost; although bug bounties tend to offer far more bang for your buck than your average penetration
test, they are more random. The annual expenses tend to be fairly predictable, but there is always
some possibility of having to pay multiple top-tier rewards in rapid succession. This is the kind of uncertainty that
many mid-level budget planners react badly to.
</p>
<p>
Finally, you need to be able to fix the bugs you receive. It would be nuts to prefer to not know about the
vulnerabilities in the first place - but once you invite the research, the clock starts ticking and you need to
ship fixes reasonably fast.
</p>
<h4>So... should I try it?</h4>
<p>
There are folks who enthusiastically advocate for bug bounties in every conceivable situation, and people who dislike them
with fierce passion; both sentiments are usually strongly correlated with the line of business they are in.
</p>
<p>
In reality, bug bounties are not a cure-all, and there are some ways to make them ineffectual or even dangerous.
But they are not as risky or expensive as most people suspect, and when done right, they can actually be fun for your
team, too. You won't know for sure until you try.
</p>
Michal Zalewskinoreply@blogger.com1tag:blogger.com,1999:blog-383549007228220941.post-87676416673308028462018-02-24T19:36:00.000-08:002018-02-24T20:03:37.683-08:00Getting product security engineering right<p>
Product security is an interesting animal: it is a uniquely cross-disciplinary endeavor that spans policy, consulting,
process automation, in-depth software engineering, and cutting-edge vulnerability research. And in contrast to many
other specializations in our field of expertise - say, incident response or network security - we have virtually no
time-tested and coherent frameworks for setting it up within a company of any size.
</p>
<p>
In my <a href='https://lcamtuf.blogspot.com/2018/02/on-leadership.html'>previous post</a>, I shared some thoughts
on nurturing technical organizations and cultivating the right kind of leadership within. Today, I figured it would
be fitting to follow up with several notes on what I learned about structuring product security work - and about actually
making the effort count.
</p>
<h4>The "comfort zone" trap</h4>
<p>
For security engineers, knowing your limits is a sought-after quality: there is nothing more dangerous than a security
expert who goes off script and starts dispensing authoritatively-sounding but bogus advice on a topic they know very
little about. But that same quality can be destructive when it prevents us from growing beyond our most familiar role: that of
a critic who pokes holes in other people's designs.
</p>
<p>
The role of a resident security critic lends itself all too easily to a sense of supremacy: the mistaken
belief that our cognitive skills exceed the capabilities of the engineers and product managers who come to us for help
- and that the cool bugs we file are the ultimate proof of our special gift. We start taking pride in the mere act
of breaking somebody else's software - and then write scathing but ineffectual critiques addressed to executives,
demanding that they either put a stop to a project or sign off on a risk. And hey, in the latter case, they better
brace for our triumphant "I told you so" at some later date.
</p>
<p>
Of course, escalations of this type have their place, but they need to be a very rare sight; when practiced routinely, they are a telltale
sign of a dysfunctional team. We might be failing to think up viable alternatives that are in tune with business or engineering needs; we might
be very unpersuasive, failing to communicate with other rational people in a language they understand; or it might be that our tolerance for risk
is badly out of whack with the rest of the company. Whatever the cause, I've seen high-level escalations where the security team
spoke of valiant efforts to resist inexplicably awful design decisions or data sharing setups; and where product leads in turn talked about
pressing business needs randomly blocked by obstinate security folks. Sometimes, simply having them compare their notes would be enough to arrive
at a technical solution - such as sharing a less sensitive subset of the data at hand.
</p>
<p>
To be effective, any product security program must be rooted in a partnership with the rest of the company, focused on helping them get stuff done
while eliminating or reducing security risks. To combat the toxic us-versus-them mentality, I found it helpful to have some team members with
software engineering backgrounds, even if it's the ownership of a small open-source project or so. This can broaden our horizons, helping us see
that we all make the same mistakes - and that not every solution that sounds good on paper is usable once we code it up.
</p>
<h4>Getting off the treadmill</h4>
<p>
All security programs involve a good chunk of operational work. For product security, this can be a combination of product launch reviews, design consulting requests, incoming bug reports, or compliance-driven assessments of some sort. And curiously, such reactive work also has the property of gradually expanding to consume all the available resources on a team: next year is bound to bring even more review requests, even more regulatory hurdles, and even more incoming bugs to triage and fix.
</p>
<p>
Being more tractable, such routine tasks are also more readily enshrined in SDLs, SLAs, and all kinds of other official documents that are often mistaken for a mission statement that justifies the existence of our teams. Soon, instead of explaining to a developer why they should fix a particular problem right away, we end up pointing them to page 17 in our severity classification guideline, which defines that "severity 2" vulnerabilities need to be resolved within a month. Meanwhile, another policy may be telling them that they need to run a fuzzer or a web application scanner for a particular number of CPU-hours - no matter whether it makes sense or whether the job is set up right.
</p>
<p>
To run a product security program that scales sublinearly, stays abreast of future threats, and doesn't erect bureaucratic speed bumps just for the sake of it, we need to recognize this inherent tendency for operational work to take over - and we need to reign it in. No matter what the last year's policy says, we usually don't <i>need</i> to be doing security reviews with a particular cadence or to a particular depth; if we need to scale them back 10% to staff a two-quarter project that fixes an important API and squashes an entire class of bugs, it's a short-term risk we should feel empowered to take.
</p>
<p>
As noted in my earlier post, I find contingency planning to be a valuable tool in this regard: why not ask ourselves how the team would cope if the workload went up another 30%, but bad financial results precluded any team growth? It's actually fun to think about such hypotheticals ahead of the time - and hey, if the ideas sound good, why not try them out today?
</p>
<h4>Living for a cause</h4>
<p>
It can be difficult to understand if our security efforts are structured and prioritized right; when faced with such uncertainty, it is natural to stick to the safe fundamentals - investing most of our resources into the very same things that everybody else in our industry appears to be focusing on today.
</p>
<p>
I think it's important to combat this mindset - and if so, we might as well tackle it head on. Rather than focusing on tactical objectives and policy documents, try to write down a concise mission statement explaining why you are a team in the first place, what specific business outcomes you are aiming for, how do you prioritize it, and how you want it all to change in a year or two. It should be a fluid narrative that reads right and that everybody on your team can take pride in; my favorite way of starting the conversation is telling folks that we could always have a new VP tomorrow - and that the VP's first order of business could be asking, "why do you have so many people here and how do I know they are doing the right thing?". It's a playful but realistic framing device that motivates people to get it done.
</p>
<p>
In general, a comprehensive product security program should probably start with the assumption that no matter how many resources we have at our disposal, we will never be able to stay in the loop on everything that's happening across the company - and even if we did, we're not going to be able to catch every single bug. It follows that one of our top priorities for the team should be making sure that bugs don't happen very often; a scalable way of getting there is equipping engineers with intuitive and usable tools that make it easy to perform common tasks without having to worry about security at all. Examples include standardized, managed containers for production jobs; safe-by-default APIs, such as strict contextual autoescaping for XSS or type safety for SQL; security-conscious style guidelines; or plug-and-play libraries that take care of common crypto or ACL enforcement tasks.
</p>
<p>
Of course, not all problems can be addressed on framework level, and not every engineer will always reach for the right tools. Because of this, the next principle that I found to be worth focusing on is containment and mitigation: making sure that bugs are difficult to exploit when they happen, or that the damage is kept in check. The solutions in this space can range from low-level enhancements (say, hardened allocators or <i>seccomp-bpf</i> sandboxes) to client-facing features such as browser origin isolation or Content Security Policy.
</p>
<p>
The usual consulting, review, and outreach tasks are an important facet of a product security program, but probably shouldn't be the sole focus of your team. It's also best to avoid undue emphasis on vulnerability showmanship: while valuable in some contexts, it creates a hypercompetitive environment that may be hostile to less experienced team members - not to mention, squashing individual bugs offers very limited value if the same issue is likely to be reintroduced into the codebase the next day. I like to think of security reviews as a teaching opportunity instead: it's a way to raise awareness, form partnerships with engineers, and help them develop lasting habits that reduce the incidence of bugs. Metrics to understand the impact of your work are important, too; if your engagements are seen mostly as a yet another layer of red tape, product teams will stop reaching out to you for advice.
</p>
<p>
The other tenet of a healthy product security effort requires us to recognize at a scale and given enough time, every defense mechanism is bound to fail - and so, we need ways to prevent bugs from turning into incidents. The efforts in this space may range from developing product-specific signals for the incident response and monitoring teams; to offering meaningful vulnerability reward programs and nourishing a healthy and respectful relationship with the research community; to organizing regular offensive exercises in hopes of spotting bugs before anybody else does.
</p>
<p>
Oh, one final note: an important feature of a healthy security program is the existence of multiple feedback loops that help you spot problems without the need to micromanage the organization and without being deathly afraid of taking chances. For example, the data coming from bug bounty programs, if analyzed correctly, offers a wonderful way to alert you to systemic problems in your codebase - and later on, to measure the impact of any remediation and hardening work.
</p>
Michal Zalewskinoreply@blogger.com0tag:blogger.com,1999:blog-383549007228220941.post-20403631889384033822018-02-02T15:13:00.000-08:002018-02-02T22:20:31.294-08:00Progressing from tech to leadership<p>
I've been a technical person all my life. I started doing vulnerability research in the late 1990s - and even today, when I'm not <a href='http://lcamtuf.coredump.cx/rstory/'>fiddling with CNC-machined robots</a> or <a href='http://lcamtuf.coredump.cx/woodworking/'>making furniture</a>, I'm probably <a href='http://lcamtuf.coredump.cx/afl/'>clobbering together a fuzzer</a> or writing a <a href='http://lcamtuf.coredump.cx/tangled/'>book about browser protocols and APIs</a>. In other words, I'm a geek at heart.
</p>
<p>
My career is a different story. Over the past two decades and a change, I went from writing CGI scripts and setting up WAN routers for a chain of shopping malls, to doing pentests for institutional customers, to designing a series of network monitoring platforms and handling incident response for a big telco, to building and running the product security org for one of the largest companies in the world. It's been an interesting ride - and now that I'm on the hook for the well-being of about 100 folks across more than a dozen subteams around the world, I've been thinking a bit about the lessons learned along the way.
</p>
<p>
Of course, I'm a bit hesitant to write such a post: sometimes, your efforts pan out not because of your approach, but despite it - and it's possible to draw precisely the wrong conclusions from such anecdotes. Still, I'm very proud of the culture we've created and the caliber of folks working on our team. It happened through the work of quite a few talented tech leads and managers even before my time, but it did not happen by accident - so I figured that my observations may be useful for some, as long as they are taken with a grain of salt.
</p>
<p>
But first, let me start on a somewhat somber note: what nobody tells you is that one's level on the leadership ladder tends to be inversely correlated with several measures of happiness. The reason is fairly simple: as you get more senior, a growing number of people will come to you expecting you to solve increasingly fuzzy and challenging problems - and you will no longer be patted on the back for doing so. This should not scare you away from such opportunities, but it definitely calls for a particular mindset: your motivation must come from within. Look beyond the fight-of-the-day; find satisfaction in seeing how far your teams have come over the years.
</p>
<p>
With that out of the way, here's a collection of notes, loosely organized into three major themes.
</p>
<h4>The curse of a techie leader</h4>
<p>
Perhaps the most interesting observation I have is that for a person coming from a technical background, building a healthy team is first and foremost about the subtle art of letting go.
</p>
<p>
There is a natural urge to stay involved in any project you've started or helped improve; after all, it's your baby: you're familiar with all the nuts and bolts, and nobody else can do this job as well as you. But as your sphere of influence grows, this becomes a choke point: there are only so many things you could be doing at once. Just as importantly, the project-hoarding behavior robs more junior folks of the ability to take on new responsibilities and bring their own ideas to life. In other words, when done properly, delegation is not just about freeing up your plate; it's also about empowerment and about signalling trust.
</p>
<p>
Of course, when you hand your project over to somebody else, the new owner will initially be slower and more clumsy than you; but if you pick the new leads wisely, give them the right tools and the right incentives, and don't make them deathly afraid of messing up, they will soon excel at their new jobs - and be grateful for the opportunity.
</p>
<p>
A related affliction of many accomplished techies is the conviction that they know the answers to every question even tangentially related to their domain of expertise; that belief is coupled with a burning desire to have the last word in every debate. When practiced in moderation, this behavior is fine among peers - but for a leader, one of the most important skills to learn is knowing when to keep your mouth shut: people learn a lot better by experimenting and making small mistakes than by being schooled by their boss, and they often try to read into your passing remarks. Don't run an authoritarian camp focused on total risk aversion or perfectly efficient resource management; just set reasonable boundaries and exit conditions for experiments so that they don't spiral out of control - and be amazed by the results every now and then.
</p>
<h4>Death by planning</h4>
<p>
When nothing is on fire, it's easy to get preoccupied with maintaining the status quo. If your current headcount or budget request lists all the same projects as last year's, or if you ever find yourself ending an argument by deferring to a policy or a process document, it's probably a sign that you're getting complacent. In security, complacency usually ends in tears - and when it doesn't, it leads to burnout or boredom.
</p>
<p>
In my experience, your goal should be to develop a cadre of managers or tech leads capable of coming up with clever ideas, prioritizing them among themselves, and seeing them to completion without your day-to-day involvement. In your spare time, make it your mission to challenge them to stay ahead of the curve. Ask your vendor security lead how they'd streamline their work if they had a 40% jump in the number of vendors but no extra headcount; ask your product security folks what's the second line of defense or containment should your primary defenses fail. Help them get good ideas off the ground; set some mental success and failure criteria to be able to cut your losses if something does not pan out.
</p>
<p>
Of course, malfunctions happen even in the best-run teams; to spot trouble early on, instead of overzealous project tracking, I found it useful to encourage folks to run a data-driven org. I'd usually ask them to imagine that a brand new VP shows up in our office and, as his first order of business, asks "why do you have so many people here and how do I know they are doing the right things?". Not everything in security can be quantified, but hard data can validate many of your assumptions - and will alert you to unseen issues early on.
</p>
<p>
When focusing on data, it's important not to treat pie charts and spreadsheets as an art unto itself; if you run a security review process for your company, your CSAT scores are going to reach 100% if you just rubberstamp every launch request within ten minutes of receiving it. Make sure you're asking the right questions; instead of "how satisfied are you with our process", try "is your product better as a consequence of talking to us?"
<p>
<p>
Whenever things are not progressing as expected, it is a natural instinct to fall back to micromanagement, but it seldom truly cures the ill. It's probable that your team disagrees with your vision or its feasibility - and that you're either not listening to their feedback, or they don't think you'd care. It's good to assume that most of your employees are as smart or smarter than you; barking your orders at them more loudly or more frequently does not lead anyplace good. It's good to listen to them and either present new facts or work with them on a plan you can all get behind.
</p>
<p>
In some circumstances, all that's needed is honesty about the business trade-offs, so that your team feels like your "partner in crime", not a victim of circumstance. For example, we'd tell our folks that by not falling behind on basic, unglamorous work, we earn the trust of our VPs and SVPs - and that this translates into the independence and the resources we need to pursue more ambitious ideas without being told what to do; it's how we game the system, so to speak. Oh: leading by example is a pretty powerful tool at your disposal, too.
</p>
<h4>The human factor</h4>
<p>
I've come to appreciate that hiring decent folks who can get along with others is far more important than trying to recruit conference-circuit superstars. In fact, hiring superstars is a decidedly hit-and-miss affair: while certainly not a rule, there is a proportion of folks who put the maintenance of their celebrity status ahead of job responsibilities or the well-being of their peers.
</p>
<p>
For teams, one of the most powerful demotivators is a sense of unfairness and disempowerment. This is where tech-originating leaders can shine, because their teams usually feel that their bosses understand and can evaluate the merits of the work. But it also means you need to be decisive and actually solve problems for them, rather than just letting them vent. You will need to make unpopular decisions every now and then; in such cases, I think it's important to move quickly, rather than prolonging the uncertainty - but it's also important to sincerely listen to concerns, explain your reasoning, and be frank about the risks and trade-offs.
</p>
<p>
Whenever you see a clash of personalities on your team, you probably need to respond swiftly and decisively; being right should not justify being a bully. If you don't react to repeated scuffles, your best people will probably start looking for other opportunities: it's draining to put up with constant pie fights, no matter if the pies are thrown straight at you or if you just need to duck one every now and then.
</p>
<p>
More broadly, personality differences seem to be a much better predictor of conflict than any technical aspects underpinning a debate. As a boss, you need to identify such differences early on and come up with creative solutions. Sometimes, all you need is taking some badly-delivered but valid feedback and having a conversation with the other person, asking some questions that can help them reach the same conclusions without feeling that their worldview is under attack. Other times, the only path forward is making sure that some folks simply don't run into each for a while.
</p>
<p>
Finally, dealing with low performers is a notoriously hard but important part of the game. Especially within large companies, there is always the temptation to just let it slide: sideline a struggling person and wait for them to either get over their issues or leave. But this sends an awful message to the rest of the team; for better or worse, fairness is important to most. Simply firing the low performers is seldom the best solution, though; successful recovery cases are what sets great managers apart from the average ones.
</p>
<p>
Oh, one more thought: people in leadership roles have their allegiance divided between the company and the people who depend on them. The obligation to the company is more formal, but the impact you have on your team is longer-lasting and more intimate. When the obligations to the employer and to your team collide in some way, make sure you can make the right call; it might be one of the the most consequential decisions you'll ever make.
</p>
Michal Zalewskinoreply@blogger.com7tag:blogger.com,1999:blog-383549007228220941.post-49344461713215482722017-12-13T22:57:00.000-08:002017-12-16T16:56:17.162-08:00The deal with Bitcoin<div style='margin-left: 4em; color: steelblue'>
<i>&#9834; Used to have a little now I have a lot<br>
I'm still, I'm still Jenny from the block<br>
&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;chain &#9834;</i>
</div>
<p>
For all that has been written about Bitcoin and its ilk, it is curious that the focus is almost solely what the cryptocurrencies are <i>supposed</i> to be. Technologists wax lyrical about the potential for blockchains to change almost every aspect of our lives. Libertarians and paleoconservatives ache for the return to "sound money" that can't be conjured up at the whim of a bureaucrat. Mainstream economists wag their fingers, proclaiming that a proper currency can't be deflationary, that it must maintain a particular velocity, or that the government must be able to nip crises of confidence in the bud. And so on.
</p>
<p>
Much of this may be true, but the proponents of cryptocurrencies should recognize that an appeal to consequences is not a guarantee of good results. The critics, on the other hand, would be best served to remember that they are drawing far-reaching conclusions about the effects of modern monetary policies based on a very short and tumultuous period in history.
</p>
<p>
In this post, my goal is to ditch most of the dogma, talk a bit about the origins of money - and then see how "crypto" fits the bill.
</p>
<h3>1. The prehistory of currencies</h3>
<p>
The emergence of money is usually explained in a very straightforward way. You know the story: a farmer raised a pig, a cobbler made a shoe. The cobbler needed to feed his family while the farmer wanted to keep his feet warm - and so they met to exchange the goods on mutually beneficial terms. But as the tale goes, the barter system had a fatal flaw: sometimes, a farmer wanted a cooking pot, a potter wanted a knife, and a blacksmith wanted a pair of pants. To facilitate increasingly complex, multi-step exchanges without requiring dozens of people to meet face to face, we came up with an abstract way to represent value - a shiny coin guaranteed to be accepted by every tradesman.
</p>
<p>
It is a nice parable, but it probably isn't very true. It seems far more plausible that early societies relied on the concept of debt long before the advent of currencies: an informal tally or a formal ledger would be used to keep track of who owes what to whom. The concept of debt, closely associated with one's trustworthiness and standing in the community, would have enabled a wide range of economic activities: debts could be paid back over time, transferred, renegotiated, or forgotten - all without having to engage in spot barter or to mint a single coin. In fact, such non-monetary, trust-based, reciprocal economies are still common in closely-knit communities: among families, neighbors, coworkers, or friends.
</p>
<p>
In such a setting, primitive currencies probably emerged simply as a consequence of having a system of prices: a cow being worth a particular number of chickens, a chicken being worth a particular number of beaver pelts, and so forth. Formalizing such relationships by settling on a single, widely-known unit of account - say, one chicken - would make it more convenient to transfer, combine, or split debts; or to settle them in alternative goods.
</p>
<p>
Contrary to popular belief, for communal ledgers, the unit of account probably did not have to be particularly desirable, durable, or easy to carry; it was simply an accounting tool. And indeed, we sometimes run into fairly unusual units of account even in modern times: for example, cigarettes can be the basis of a bustling prison economy even when most inmates don't smoke and there are not that many packs to go around.
</p>
<h3>2. The age of commodity money</h3>
<p>
In the end, the development of coinage might have had relatively little to do with communal trade - and far more with the desire to exchange goods with strangers. When dealing with a unfamiliar or hostile tribe, the concept of a chicken-denominated ledger does not hold up: the other side might be disinclined to honor its obligations - and get away with it, too. To settle such problematic trades, we needed a "spot" medium of exchange that would be easy to carry and authenticate, had a well-defined value, and a near-universal appeal. Throughout much of the recorded history, precious metals - predominantly gold and silver - proved to fit the bill.
</p>
<p>
In the most basic sense, such commodities could be seen as a tool to reconcile debts across societal boundaries, without necessarily replacing any local units of account. An obligation, denominated in some local currency, would be created on buyer's side in order to procure the metal for the trade. The proceeds of the completed transaction would in turn allow the seller to settle their own local obligations that arose from having to source the traded goods. In other words, our wondrous chicken-denominated ledgers could coexist peacefully with gold - and when commodity coinage finally took hold, it's likely that in everyday trade, precious metals served more as a useful abstraction than a precise store of value. A "silver chicken" of sorts.
</p>
<p>
Still, the emergence of commodity money had one interesting side effect: it decoupled the unit of debt - a "claim on the society", in a sense - from any moral judgment about its origin. A piece of silver would buy the same amount of food, whether earned through hard labor or won in a drunken bet. This disconnect remains a central theme in many of the debates about social justice and unfairly earned wealth.
</p>
<h3>3. The State enters the game</h3>
<p>
If there is one advantage of chicken ledgers over precious metals, it's that all chickens look and cluck roughly the same - something that can't be said of every nugget of silver or gold. To cope with this problem, we needed to shape raw commodities into pieces of a more predictable shape and weight; a trusted party could then stamp them with a mark to indicate the value and the quality of the coin.
</p>
<p>
At first, the task of standardizing coinage rested with private parties - but the responsibility was soon assumed by the State. The advantages of this transition seemed clear: a single, widely-accepted and easily-recognizable currency could be now used to settle virtually all private and official debts.
</p>
<p>
Alas, in what deserves the dubious distinction of being one of the earliest examples of monetary tomfoolery, some States succumbed to the temptation of fiddling with the coinage to accomplish anything from feeding the poor to waging wars. In particular, it would be common to stamp coins with the same face value but a progressively lower content of silver and gold. Perhaps surprisingly, the strategy worked remarkably well; at least in the times of peace, most people cared about the value stamped on the coin, not its precise composition or weight.
</p>
<p>
And so, over time, representative money was born: sooner or later, most States opted to mint coins from nearly-worthless metals, or print banknotes on paper and cloth. This radically new currency was accompanied with a simple pledge: the State offered to redeem it at any time for its nominal value in gold.
</p>
<p>
Of course, the promise was largely illusory: the State did not have enough gold to honor all the promises it had made. Still, as long as people had faith in their rulers and the redemption requests stayed low, the fundamental mechanics of this new representative currency remained roughly the same as before - and in some ways, were an improvement in that they lessened the insatiable demand for a rare commodity. Just as importantly, the new money still enabled international trade - using the underlying gold exchange rate as a reference point.
</p>
<h3>4. Fractional reserve banking and fiat money</h3>
<p>
For much of the recorded history, banking was an exceptionally dull affair, not much different from running a communal chicken
ledger of the old. But then, something truly marvelous happened in the 17th century: around that time, many European countries have witnessed
the emergence of fractional-reserve banks.
</p>
<p>
These private ventures operated according to a simple scheme: they accepted people's coin
for safekeeping, promising to pay a premium on every deposit made. To meet these obligations and to make a profit, the banks then
used the pooled deposits to make high-interest loans to other folks. The financiers figured out that under normal circumstances
and when operating at a sufficient scale, they needed only a very modest reserve - well under 10% of all deposited money - to be
able to service the usual volume and size of withdrawals requested by their customers. The rest could be loaned out.
</p>
<p>
The very curious consequence of fractional-reserve banking was that it pulled new money out of thin air.
The funds were simultaneously accounted for in the statements shown to the depositor, evidently available for withdrawal or
transfer at any time; and given to third-party borrowers, who could spend them on just about anything. Heck, the borrowers could
deposit the proceeds in another bank, creating even more money along the way! Whatever they did, the sum of all funds in the monetary
system now appeared much higher than the value of all coins and banknotes issued by the government - let alone the amount of gold
sitting in any vault.
</p>
<p>
Of course, no new money was being created in any physical sense: all that banks were doing was engaging in a bit of creative accounting - the sort of which would probably land you in jail if you attempted it today in any other comparably vital field of enterprise. If too many depositors were to ask for their money back, or if too many loans were to go bad, the banking system would fold. Fortunes would evaporate in a puff of accounting smoke, and with the disappearance of vast quantities of quasi-fictitious ("broad") money, the wealth of the entire nation would shrink.
</p>
<p>
In the early 20th century, the world kept witnessing just that; a series of bank runs and economic contractions forced the governments around the globe to act. At that stage, outlawing fractional-reserve banking was no longer politically or economically tenable; a simpler alternative was to let go of gold and move to fiat money - a currency implemented as an abstract social construct, with no predefined connection to the physical realm. A new breed of economists saw the role of the government not in trying to peg the value of money to an inflexible commodity, but in manipulating its supply to smooth out economic hiccups or to stimulate growth.
</p>
<p>
(Contrary to popular beliefs, such manipulation is usually not done by printing new banknotes; more sophisticated methods, such as lowering reserve requirements for bank deposits or enticing banks to invest its deposits into government-issued securities, are the preferred route.)
</p>
<p>
The obvious peril of fiat money is that in the long haul, its value is determined strictly by people's willingness to accept a piece of paper in exchange for their trouble; that willingness, in turn, is conditioned solely on their belief that the same piece of paper would buy them something nice a week, a month, or a year from now. It follows that a simple crisis of confidence could make a currency nearly worthless overnight. A prolonged period of hyperinflation and subsequent austerity in Germany and Austria was one of the precipitating factors that led to World War II. In more recent times, dramatic episodes of hyperinflation plagued the fiat currencies of Israel (1984), Mexico (1988), Poland (1990), Yugoslavia (1994), Bulgaria (1996), Turkey (2002), Zimbabwe (2009), Venezuela (2016), and several other nations around the globe.
</p>
<p>
For the United States, the switch to fiat money came relatively late, in 1971. To stop the dollar from plunging like a rock, the Nixon administration employed a clever trick: they ordered the freeze of wages and prices for the 90 days that immediately followed the move. People went on about their lives and paid the usual for eggs or milk - and by the time the freeze ended, they were accustomed to the idea that the "new", free-floating dollar is worth about the same as the old, gold-backed one. A robust economy and favorable geopolitics did the rest, and so far, the American adventure with fiat currency has been rather uneventful - perhaps except for the fact that the price of gold itself skyrocketed from $35 per troy ounce in 1971 to $850 in 1980 (or, from $210 to $2,500 in today's dollars).
</p>
<p>
Well, one thing did change: now better positioned to freely tamper with the supply of money, the regulators in accord with the bankers adopted a policy of creating it at a rate that slightly outstripped the organic growth in economic activity. They did this to induce a small, steady degree of inflation, believing that doing so would discourage people from hoarding cash and force them to reinvest it for the betterment of the society. Some critics like to point out that such a policy functions as a "backdoor" tax on savings that happens to align with the regulators' less noble interests; still, either way: in the US and most other developed nations, the purchasing power of any money kept under a mattress will drop at a rate of somewhere between 2 to 10% a year.
</p>
<h3>5. So what's up with Bitcoin?</h3>
<p>
Well... countless tomes have been written about the nature and the optimal characteristics of government-issued fiat currencies. Some heterodox economists, notably including <a href='https://en.wikipedia.org/wiki/Murray_Rothbard'>Murray Rothbard</a>, have also explored the topic of privately-issued, decentralized, commodity-backed currencies. But Bitcoin is a wholly different animal.
</p>
<p>
In essence, BTC is a global, decentralized fiat currency: it has no (recoverable) intrinsic value, no central authority to issue it or define its exchange rate, and it has no anchoring to any historical reference point - a combination that until recently seemed nonsensical and escaped any serious scrutiny. It does the unthinkable by employing three clever tricks:
</p>
<ol>
<li><p>It allows anyone to create new coins, but only by solving brute-force computational challenges that get more difficult as the time goes by,</p>
<li><p>It prevents unauthorized transfer of coins by employing public key cryptography to sign off transactions, with only the authorized holder of a coin knowing the correct key,</p>
<li><p>It prevents double-spending by using a distributed public ledger ("blockchain"), recording the chain of custody for coins in a tamper-proof way.</p>
</ol>
<p>
The blockchain is often described as the most important feature of Bitcoin, but in some ways, its importance is overstated. The idea of a currency that does not rely on a centralized transaction clearinghouse is what helped propel the platform into the limelight - mostly because of its novelty and the perception that it is less vulnerable to government meddling (although the government is still free to track down, tax, fine, or arrest any participants). On the flip side, the everyday mechanics of BTC would not be fundamentally different if all the transactions had to go through Bitcoin Bank, LLC.
</p>
<p>
A more striking feature of the new currency is the incentive structure surrounding the creation of new coins. The underlying design democratized the creation of new coins early on: all you had to do is leave your computer running for a while to acquire a number of tokens. The tokens had no practical value, but obtaining them involved no substantial expense or risk. Just as importantly, because the difficulty of the puzzles would only increase over time, the hope was that if Bitcoin caught on, latecomers would find it easier to purchase BTC on a secondary market than mine their own - paying with a more established currency at a mutually beneficial exchange rate.
</p>
<p>
The persistent publicity surrounding Bitcoin and other cryptocurrencies did the rest - and today, with the growing scarcity of coins and the rapidly increasing demand, the price of a single token hovers somewhere south of $15,000.
</p>
<h3>6. So... is it bad money?</h3>
<p>
Predicting is hard - especially the future. In some sense, a coin that represents a cryptographic proof of wasted CPU cycles is no better or worse than a currency that relies on cotton decorated with pictures of dead presidents. It is true that Bitcoin suffers from many implementation problems - long transaction processing times, high fees, frequent security breaches of major exchanges - but in principle, such problems can be overcome.
</p>
<p>
That said, currencies live and die by the lasting willingness of others to accept them in exchange for services or goods - and in that sense, the jury is still out. The use of Bitcoin to settle bona fide purchases is negligible, both in absolute terms and in function of the overall volume of transactions. In fact, because of the technical challenges and limited practical utility, some companies that embraced the currency early on are <a href='https://www.theverge.com/2017/12/6/16743220/valve-steam-bitcoin-game-store-payment-method-crypto-volatility'>now backing out</a>.
</p>
<p>
When the value of an asset is derived almost entirely from its appeal as an ever-appreciating investment vehicle, the situation has all the telltale signs of a speculative bubble. But that does not <i>prove</i> that the asset is destined to collapse, or that a collapse would be its end. Still, the built-in deflationary mechanism of Bitcoin - the increasing difficulty of producing new coins - is probably both a blessing and a curse.
</p>
<p>
It's going to go one way or the other; and when it's all said and done, we're going to celebrate the people who made the right guess. Because future is actually pretty darn easy to predict -- in retrospect.
</p>Michal Zalewskinoreply@blogger.com0tag:blogger.com,1999:blog-383549007228220941.post-42489839681007583022017-12-10T22:15:00.000-08:002017-12-10T22:15:45.121-08:00Weekend distractions, part deux: a bench, and stuff
<p>
Continuing the tradition of the <a href='https://lcamtuf.blogspot.com/2017/11/weekend-distractions-perfectly-good.html'>previous post</a>, here's a perfectly good bench:
</p>
<p>
<img src='http://lcamtuf.coredump.cx/blog_bench.jpg' height=534 width=800 style='border: 1px solid crimson'>
</p>
<p>
The legs are 8/4 hard maple, cut into 2.3" (6 cm) strips and then glued together. The top is 4/4 domestic walnut, with an additional strip glued to the bottom to make it look thicker (because gosh darn, walnut is expensive).
</p>
<p>
Cut on a bandsaw, joined together with a biscuit joiner + glue, then sanded, that's about it. Still applying finish (nitrocellulose lacquer from a rattle can), but this was the last moment when I could snap a photo (about to get dark) and it basically looks like the final product anyway. Pretty simple but turned out nice.
</p>
<p>
Several additional, smaller woodworking projects <a href='http://lcamtuf.coredump.cx/woodworking/'>here</a>.
</p>Michal Zalewskinoreply@blogger.com0tag:blogger.com,1999:blog-383549007228220941.post-70633877594720554662017-11-04T15:06:00.000-07:002017-11-04T15:06:10.196-07:00Weekend distractions: a perfectly good dining table<p>
I've been a DIYer all my adult life. Some of my non-software projects still revolve around computers, especially when they deal with <a href='http://lcamtuf.coredump.cx/gcnc/'>CNC machining</a> or <a href='http://lcamtuf.coredump.cx/geiger/'>electronics</a>. But I've been also dabbling in woodworking for quite a while. I have not put that much effort into documenting my projects (say, <a href='http://lcamtuf.coredump.cx/robot/show_image.cgi/_V6A8236-Edit.jpg'>cutting boards</a>) - but I figured it's time to change that. It may inspire some folks to give a new hobby a try - or help them overcome a problem or two.
</p>
<p>
So, without further ado, here's the <a href='http://lcamtuf.coredump.cx/table/'>build log</a> for a dining table I put together over the past two weekends or so. I think I turned out pretty nice:
</p>
<p>
<img src='http://lcamtuf.coredump.cx/table/31-finished-small.jpg' height=534 width=800 style='border: 1px solid crimson'>
</p>
<p>
Have fun!
</p>Michal Zalewskinoreply@blogger.com2tag:blogger.com,1999:blog-383549007228220941.post-31729112359821564812017-05-04T17:24:00.001-07:002017-05-04T21:39:34.381-07:00RFD: the alien abduction prophecy protocol<p style='color: gray; margin-left: 4ex'>
<i>"It's tough to make predictions, especially about the future."</i><br>- variously attributed to Yogi Berra and Niels Bohr
</p>
<p>
Right. So let's say you are visited by transdimensional space aliens from outer space. There's some old-fashioned probing, but eventually, they get to the point. They outline a series of apocalyptic prophecies, beginning with the surprise 2032 election of Dwayne Elizondo Mountain Dew Herbert Camacho as the President of the United States, followed by a limited-scale nuclear exchange with the Grand Duchy of Ruritania in 2036, and culminating with the extinction of all life due to a series of <a href='https://en.wikipedia.org/wiki/Year_2038_problem'>cascading Y2K38 failures</a> that start at an Ohio pretzel reprocessing plan. Long story short, if you want to save mankind, you have to warn others of what's to come.
</p>
<p>
But there's a snag: when you wake up in a roadside ditch in Alabama, you realize that nobody is going to believe your story! If you come forward, your professional and social reputation will be instantly destroyed. If you're lucky, the vindication of your claims will come fifteen years later; if not, it might turn out that you were pranked by some space alien frat boys who just wanted to have some cheap space laughs. The bottom line is, you need to be certain before you make your move. You figure this means staying mum until the Election Day of 2032.
</p>
<p>
But wait, this plan is also not very good! After all, how could your future self convince others that you knew about President Camacho all along? Well... if you work in information security, you are probably familiar with a neat solution: write down your account of events in a text file, calculate a <a href='https://en.wikipedia.org/wiki/Cryptographic_hash_function'>cryptographic hash</a> of this file, and publish the resulting value somewhere permanent. Fifteen years later, reveal the contents of your file and point people to your old announcement. Explain that you must have been in the possession of this very file back in 2017; otherwise, you would not have known its hash. Voila - a <a href='https://en.wikipedia.org/wiki/Commitment_scheme'>commitment scheme</a>!
</p>
<p>
Although elegant, this approach can be risky: historically, the usable life of cryptographic hash functions seemed to hover at somewhere around 15 years - so even if you pick a very modern algorithm, there is a real risk that future advances in cryptanalysis could severely undermine the strength of your proof. No biggie, though! For extra safety, you could combine several independent hashing functions, or increase the computational complexity of the hash by running it in a loop. There are also some less-known hash functions, such as <a href='https://sphincs.cr.yp.to/'>SPHINCS</a>, that are designed with different trade-offs in mind and may offer longer-term security guarantees.
</p>
<p>
Of course, the computation of the hash is not enough; it needs to become an immutable part of the public record and remain easy to look up for years to come. There is no guarantee that any particular online publishing outlet is going to stay afloat that long and continue to operate in its current form. The survivability of more specialized and experimental platforms, such as blockchain-based notaries, seems even less clear. Thankfully, you can resort to another kludge: if you publish the hash through a large number of independent online venues, there is a good chance that at least one of them will be around in 2032.
</p>
<p>
(Offline notarization - whether of the pen-and-paper or the PKI-based variety - offers an interesting alternative. That said, in the absence of an immutable, public ledger, accusations of forgery or collusion would be very easy to make - especially if the fate of the entire planet is at stake.)
</p>
<p>
Even with this out of the way, there is yet another profound problem with the plan: a current-day scam artist could conceivably generate hundreds or thousands of political predictions, publish the hashes, and then simply discard or delete the ones that do not come true by 2032 - thus creating an illusion of prescience. To convince skeptics that you are not doing just that, you could incorporate a <a href='https://en.wikipedia.org/wiki/Proof-of-work_system'>cryptographic proof of work</a> into your approach, attaching a particular CPU time "price tag" to every hash. The future you could then claim that it would have been prohibitively expensive for the former you to attempt the "prediction spam" attack. But this argument seems iffy: a $1,000 proof may already be too costly for a lower middle class abductee, while a determined tech billionaire could easily spend $100,000 to pull off an elaborate prank on the entire world. Not to mention, massive CPU resources can be commandeered with little or no effort by the operators of large botnets and many other actors of this sort.
</p>
<p>
In the end, my best idea is to rely on an inherently low-bandwidth publication medium, rather than a high-cost one. For example, although a determined hoaxer could place thousands of hash-bearing classifieds in some of the largest-circulation newspapers, such sleigh-of-hand would be trivial for future sleuths to spot (at least compared to combing through the entire Internet for an abandoned hash). Or, as per an anonymous suggestion relayed by Thomas Ptacek: just tattoo the signature on your body, then post some post some pics; there are only so many places for a tattoo to go.
</p>
<p>
Still, what was supposed to be a nice, scientific proof devolved into a bunch of hand-wavy arguments and poorly-quantified probabilities. For the sake of future abductees: is there a better way?
</p>
Michal Zalewskinoreply@blogger.com12tag:blogger.com,1999:blog-383549007228220941.post-90540663298071899222017-04-22T15:48:00.000-07:002017-04-22T16:34:05.269-07:00AFL experiments, or please eat your brötli<p>
When messing around with <a href='http://lcamtuf.coredump.cx/afl/'>AFL</a>, you sometimes stumble upon something unexpected or amusing. Say,
having the fuzzer spontaneously <a href='https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html'>synthesize JPEG files</a>,
<a href='https://lcamtuf.blogspot.com/2014/11/afl-fuzz-nobody-expects-cdata-sections.html'>come up with non-trivial XML syntax</a>,
or <a href='https://lcamtuf.blogspot.com/2015/04/finding-bugs-in-sqlite-easy-way.html'>discover SQL semantics</a>.
</p>
<p>
It is also fun to challenge yourself to employ fuzzers in non-conventional ways. Two canonical examples are having your fuzzing target call <i>abort()</i> whenever two libraries that are supposed to implement the same algorithm produce different outputs when given identical input data; or when a library produces different outputs when asked to encode or decode the same data several times in a row.
</p>
<p>
Such tricks may sound fanciful, but they actually find interesting bugs. In one case, AFL-based equivalence fuzzing revealed a
bunch of fairly rudimentary flaws in <a href='https://groups.google.com/forum/#!topic/afl-users/ypjZu_RW1IU'>common bignum libraries</a>,
with some theoretical implications for crypto apps. Another time, output stability checks revealed long-lived issues in
<a href='http://seclists.org/fulldisclosure/2013/Nov/83'>IJG jpeg</a> and other widely-used image processing libraries, leaking
data across web origins.
</p>
<p>
In one of my recent experiments, I decided to fuzz
<a href='https://github.com/google/brotli'><i>brotli</i></a>, an innovative compression library used in Chrome. But since it's been
already fuzzed for many CPU-years, I wanted to do it with a twist:
stress-test the compression routines, rather than the usually targeted decompression side. The latter is a far more fruitful
target for security research, because decompression normally involves dealing with well-formed inputs, whereas compression code is meant to
accept arbitrary data and not think about it too hard. That said, the low likelihood of flaws also means that the compression bits are a relatively unexplored surface that may be worth
poking with a stick every now and then.
</p>
<p>
In this case, the library held up admirably - spare for a handful of computationally intensive plaintext inputs
(that are now easy to spot due to the <a href='https://groups.google.com/forum/#!topic/afl-users/7BoVk_cDpjM'>recent improvements</a> to AFL).
But the output corpus synthesized by AFL, after being seeded just with a single file containing just "0", featured quite a few peculiar finds:
</p>
<ul>
<li>
<p>
Strings that looked like viable bits of HTML or XML:
<code>&lt;META HTTP-AAA IDEAAAA</code>,
<code>DATA="IIA DATA="IIA DATA="IIADATA="IIA</code>,
<code>&lt;/TD></code>.
</p>
<li>
<p>
Non-trivial numerical constants:
<code>1000,1000,0000000e+000000</code>,
<code>0,000 0,000 0,0000 0x600</code>,
<code>0000,$000: 0000,$000:00000000000000</code>.
</p>
<li>
<p>
Nonsensical but undeniably English sentences:
<code>them with them m with them with themselves</code>,
<code>in the fix the in the pin th in the tin</code>,
<code>amassize the the in the in the inhe@massive in</code>,
<code>he the themes where there the where there</code>,
<code>size at size at the tie</code>.
</p>
<li>
<p>
Bogus but semi-legible URLs:
<code>CcCdc.com/.com/m/ /00.com/.com/m/ /00(0(000000CcCdc.com/.com/.com</code>
<p>
<li>
<p>
Snippets of Lisp code:
<code>))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))</code>.
</p>
</ul>
<p>
The results are quite unexpected, given that they are just a product of randomly mutating a single-byte input file and observing the code coverage in a simple compression tool. The explanation is that <i>brotli</i>, in addition to more familiar binary coding methods, uses a static dictionary constructed by analyzing common types of web content. Somehow, by observing the behavior of the program, AFL was able to incrementally reconstruct quite a few of these hardcoded keywords - and then put them together in various semi-interesting ways. Not bad.
</p>Michal Zalewskinoreply@blogger.com2tag:blogger.com,1999:blog-383549007228220941.post-72313534842437516262017-02-01T15:42:00.001-08:002017-10-20T15:42:21.560-07:00...or, how I learned not to be a jerk in 20 short years<p>
People who are accomplished in one field of expertise tend to believe that they can bring unique insights to just about any other debate.
I am as guilty as anyone: at one time or another, I aired my thoughts on anything from
<a href='http://lcamtuf.coredump.cx/gcnc/full/'>CNC manufacturing</a>, to
<a href='http://lcamtuf.coredump.cx/electronics/'>electronics</a>, to
<a href='http://lcamtuf.coredump.cx/prep/'>emergency preparedness</a>, to
<a href='https://lcamtuf.blogspot.com/2015/07/poland-and-united-states-wrapping-up.html'>politics</a>.
Today, I'm about to commit the same sin - but instead of pretending to speak from a position of authority, I wanted to share a more personal tale.
</p>
<p style='margin-left: 2em; color: gray; font-size: 85%; transform: rotate(-0.75deg); text-align: center'>
<img src='http://lcamtuf.coredump.cx/blog-1994.jpg' width=600 height=400 style='border: 4px solid #808080'>
<br>
<i>The author, circa 1995. The era of hand-crank computers and punch cards.</i>
</p>
<p>
Back in my school days, I was that one really tall and skinny kid in the class. It wasn't trying to stay this way; I preferred computer games to sports, and my grandma's Polish cooking was heavy on potatoes, butter, chicken, dumplings, cream, and cheese. But that did not matter: I could eat what I wanted, as often as I wanted, and I still stayed in shape. This made me look down on chubby kids; if my reckless ways had little or no effect on my body, it followed that they had to be exceptionally lazy and must have lacked even the most basic form of self-control.
</p>
<p>
As I entered adulthood, my habits remained the same. I felt healthy and stayed reasonably active, walking to and from work every other day and hiking with friends whenever I could. But my looks started to change:
</p>
<p style='margin-left: 2em; color: gray; font-size: 85%; transform: rotate(0.75deg); text-align: center'>
<img src='http://lcamtuf.coredump.cx/blog-2002.jpg' width=600 height=400 style='border: 4px solid #808080'>
<br>
<i>The author at a really exciting BlackHat party in 2002.</i>
</p>
<p>
I figured it's just a part of growing up. But somewhere around my twentieth birthday, I stepped on a bathroom scale and typed the result into an online calculator. I was surprised to find out that my BMI was about 24 - pretty darn close to overweight.
</p>
<p>
<i>"Pssh, you know how inaccurate these things are!"</i>, I exclaimed while searching online to debunk that whole BMI thing. I mean, sure, I had some belly fat - maybe a pizza or two too far - but nothing that wouldn't go away in time. Besides, I was doing fine, so what would be the point of submitting to the society's idea of the "right" weight?
</p>
<p>
It certainly helped that I was having a blast at work. I made a name for myself in the industry, published a fair amount of cool research, authored a book, settled down, bought a house, had a kid. It wasn't until the age of 26 that I strayed into a doctor's office for a routine checkup. When the nurse asked me about my weight, I blurted out <i>"oh, 175 pounds, give or take"</i>. She gave me a funny look and asked me to step on the scale.
</p>
<p>
Turns out it was quite a bit more than 175 pounds. With a BMI of 27.1, I was now firmly into the "overweight" territory. Yeah yeah, the BMI metric was a complete hoax - but why did my passport photos look less flattering than before?
</p>
<p style='margin-left: 2em; color: gray; font-size: 85%;; transform: rotate(-0.75deg); text-align: center'>
<img src='http://lcamtuf.coredump.cx/blog-2007.jpg?xxxxx' width=600 height=400 style='border: 4px solid #808080'>
<br>
<i>A random mugshot from 2007. Some people are just born big-boned, I think.</i>
</p>
<p>
Well, damn. I knew what had to happen: from now on, I was going to start eating healthier foods. I traded Cheetos for nuts, KFC for sushi rolls, greasy burgers for tortilla wraps, milk smoothies for Jamba Juice, fries for bruschettas, regular sodas for diet. I'd even throw in a side of lettuce every now and then. It was bound to make a difference. I just wasn't gonna be one of the losers who check their weight every day and agonize over every calorie on their plate. (Weren't calories a scam, anyway? I think I read that on that cool BMI conspiracy site.)
</p>
<p>
By the time I turned 32, my body mass index hit 29. At that point, it wasn't just a matter of looking chubby. I could do the math: at that rate, I'd be in a real pickle in a decade or two - complete with a ~50% chance of developing diabetes or cardiovascular disease. This wouldn't just make me miserable, but also mess up the lives of my spouse and kids.
</p>
<p style='margin-left: 2em; color: gray; font-size: 85%; transform: rotate(0.75deg); text-align: center'>
<img src='http://lcamtuf.coredump.cx/blog-2013.jpg' width=600 height=400 style='border: 4px solid #808080'>
<br>
<i>Presenting at Google TGIF in 2013. It must've been the unflattering light.</i>
</p>
<p>
I wanted to get this over with right away, so I decided to push myself hard. I started biking to work, quite a strenuous ride. It felt good, but did not help: I would simply eat more to compensate and ended up gaining a few extra pounds. I tried starving myself. That worked, sure - only to be followed by an even faster rebound. Ultimately, I had to face the reality: I had a problem and I needed a long-term solution. There was no one weird trick to outsmart the calorie-counting crowd, no overnight cure.
</p>
<p>
I started looking for real answers. My world came crumbling down; I realized that a "healthy" burrito from Chipotle packed four times as many calories as a greasy burger from McDonald's. That a loaded fruit smoothie from Jamba Juice was roughly equal to two hot dogs with a side of mashed potatoes to boot. That a glass of apple juice fared worse than a can of Sprite, and that bruschetta wasn't far from deep-fried butter on a stick. It didn't matter if it was sugar or fat, bacon or kale. Familiar favorites were not better or worse than the rest. Losing weight boiled down to portion control - and sticking to it for the rest of my life.
</p>
<p>
It was a slow and humbling journey that spanned almost a year. I ended up losing around 70 lbs along the way. What shocked me is that it wasn't a painful experience; what held me back for years was just my own smugness, plus the folksy wisdom gleaned from the covers of glossy magazines.
</p>
<p style='margin-left: 2em; color: gray; font-size: 85%; text-align: center'>
<img src='http://lcamtuf.coredump.cx/blog-2017.jpg' width=600 height=400 style='border: 4px solid #808080'>
<br>
<i>Author with a tractor, 2017.</i>
</p>
<p>
I'm not sure there is a moral to this story. I guess one lesson is: don't be a judgmental jerk. Sometimes, the simple things - the ones you think you have all figured out - prove to be a lot more complicated than they seem.
</p>
Michal Zalewskinoreply@blogger.com8tag:blogger.com,1999:blog-383549007228220941.post-18553798982693623242016-08-26T21:59:00.001-07:002016-08-27T14:23:10.217-07:00So you want to work in security (but are too lazy to read Parisa's excellent essay)<p>
If you have not seen it yet, Parisa Tabriz penned a <a href='https://medium.freecodecamp.com/so-you-want-to-work-in-security-bc6c10157d23'>lengthy and insightful post</a> about her experiences on what it takes to succeed in the field of information security.
</p>
<p>
My own experiences align pretty closely with Parisa's take, so if you are making your first steps down this path, I strongly urge you to give her post a good read. But if I had to sum up my lessons from close to two decades in the industry, I would probably boil them down to four simple rules:
</p>
<ol>
<li>
<p>Infosec is all about the mismatch between our intuition and the actual behavior of the systems we build. That makes it harmful to study the field as an abstract, isolated domain. To truly master it, dive into how computers work, then make a habit of asking yourself <i>"okay, but what if assumption X does not hold true?"</i> every step along the way.
</li>
<li>
<p>
Security is a protoscience. Think of chemistry in the early 19th century: a glorious and messy thing, chock-full of colorful personalities, unsolved mysteries, and snake oil salesmen. You need passion and humility to survive. Those who think they have all the answers are a danger to themselves and to people who put their faith in them.
</p>
</li>
<li>
<p>
People will trust you with their livelihoods, but will have no way to truly measure the quality of your work. Don't let them down: be painfully honest with yourself and work every single day to address your weaknesses. If you are not embarrassed by the views you held two years ago, you are getting complacent - and complacency kills.
</p>
</li>
<li>
<p>
It will feel that way, but you are not smarter than software engineers. Walk in their shoes for a while: write your own code, show it to the world, and be humiliated by all the horrible mistakes you will inevitably make. It will make you better at your job - and will turn you into a better person, too.
</p>
</li>
</ol>
<p>
</p>
Michal Zalewskinoreply@blogger.com8tag:blogger.com,1999:blog-383549007228220941.post-88438400800271365762016-08-04T09:23:00.001-07:002016-08-08T19:08:51.398-07:00CSS mix-blend-mode is bad for your browsing history<p>
Up until mid-2010, any rogue website could get a good sense of your browsing habits by specifying a distinctive <i>:visited</i> CSS pseudo-class for any links on the page, rendering thousands of interesting URLs off-screen, and then calling the <i>getComputedStyle</i> API to figure out which pages appear in your browser's history.
</p>
<p>
After some deliberation, browser vendors have closed this loophole by disallowing almost all attributes in <i>:visited</i> selectors, spare for the fairly indispensable ability to alter foreground and background colors for such links. The APIs have been also redesigned to prevent the disclosure of this color information via <i>getComputedStyle</i>.
</p>
<p>
This workaround did not fully eliminate the ability to probe your browsing history, but limited it to scenarios where the user can be tricked into unwittingly feeding the style information back to the website one URL at a time. Several fairly convincing attacks have been demonstrated against patched browsers - my own 2013 entry can be found <a href='http://lcamtuf.coredump.cx/yahh/'>here</a> - but they generally depended on the ability to solicit one click or one keypress per every URL tested. In other words, the whole thing did not scale particularly well.
</p>
<p>
Or at least, it wasn't supposed to. In 2014, I described a <a href='http://lcamtuf.coredump.cx/css_calc/'>neat trick</a> that exploited normally imperceptible color quantization errors within the browser, amplified by stacking elements hundreds of times, to implement an <i>n-to-2<sup>n</sup></i> decoder circuit using just the <i>background-color</i> and <i>opacity</i> properties on overlaid <i>&lt;a href=...&gt;</i> elements to easily probe the browsing history of multiple URLs with a single click. To explain the basic principle, imagine wanting to test two links, and dividing the screen into four regions, like so:
<ul>
<li>Region #1 is lit only when both links are not visited (¬ link_a ∧ ¬ link_b),
<li>Region #2 is lit only when link A is not visited but link B is visited (¬ link_a ∧ link_b),
<li>Region #3 is lit only when link A is visited but link B is not (link_a ∧ ¬ link_b),
<li>Region #4 is lit only when both links are visited (link_a ∧ link_b).
</ul>
<p>
While the page couldn't directly query the visibility of the segments, we just had to convince the user to click the visible segment once to get the browsing history for both links, for example under the guise of dismissing a pop-up ad. (Of course, the attack could be scaled to far more than just 2 URLs.)
</p>
<p>
This problem was eventually addressed by browser vendors by simply improving the accuracy of color quantization when overlaying HTML elements; while this did not eliminate the risk, it made the attack far more computationally intensive, requiring the evil page to stack millions of elements to get practical results. Gave over? Well, not entirely. In the footnote of my 2014 article, I mentioned this:
</p>
<p style='margin-left: 4ex; color: gray'>
"There is an upcoming CSS feature called <a href='https://drafts.fxtf.org/compositing-1/#mix-blend-mode'><i>mix-blend-mode</i></a>, which permits non-linear mixing with operators such as <i>multiply, lighten, darken,</i> and a couple more. These operators make Boolean algebra much simpler and if they ship in their current shape, they will remove the need for all the fun with quantization errors, successive overlays, and such. That said, mix-blend-mode is not available in any browser today."
</p>
<p>
As you might have guessed, patience is a virtue! As of mid-2016, <i>mix-blend-mode</i> - a feature to allow advanced compositing of bitmaps, very similar to the layer blending modes available in photo-editing tools such as Photoshop and GIMP - is shipping in Chrome and Firefox. And as it happens, in addition to their intended purpose, these non-linear blending operators permit us to implement arbitrary Boolean algebra. For example, to implement AND, all we need to do is use <i>multiply</i>:
</p>
<ul>
<li>black (0) x black (0) = black (0)
<li>black (0) x white (1) = black (0)
<li>white (1) x black (0) = black (0)
<li>white (1) x white (1) = white (1)
</ul>
<p>
For a practical demo, <a href='http://lcamtuf.coredump.cx/whack/'>click here</a>. A single click in that whack-a-mole game will reveal the state of 9 visited links to the JavaScript executing on the page. If this was an actual game and if it continued for a bit longer, probing the state of hundreds or thousands of URLs would not be particularly hard to pull off.
</p>
Michal Zalewskinoreply@blogger.com0tag:blogger.com,1999:blog-383549007228220941.post-28691458250822810362016-05-11T10:15:00.002-07:002016-05-12T15:01:01.161-07:00Clearing up some misconceptions around the "ImageTragick" bug<p>
The recent, highly publicized <a href='https://imagetragick.com'>"ImageTragick" vulnerability</a> had countless web developers scrambling to fix a remote code execution vector in ImageMagick - a popular bitmap manipulation tool commonly used to resize, transcode, or annotate user-supplied images on the Web. Whatever your take on "branded" vulnerabilities may be, the flaw certainly is notable for its ease of exploitation: it is an embarrassingly simple shell command injection bug reminiscent of the security weaknesses prevalent in the 1990s, and nearly extinct in core tools today. The issue also bears some parallels to the more far-reaching but equally striking <a href='https://en.wikipedia.org/wiki/Shellshock_(software_bug)'>Shellshock bug</a>.
</p>
<p>
That said, I believe that the publicity that surrounded the flaw was squandered by failing to make one very important point: even with this particular RCE vector fixed, anyone using ImageMagick to process attacker-controlled images is likely putting themselves at a serious risk.
</p>
<p>
The problem is fairly simple: for all its virtues, ImageMagick does not appear to be designed with malicious inputs in mind - and has a <a href='https://twitter.com/OSVDB/status/730447201604788224'>long and colorful history</a> of lesser-known but equally serious security flaws. For a single data point, look no further than the work done several months ago by Jodie Cunningham. Jodie fuzzed IM with a vanilla setup of <a href='http://lcamtuf.coredump.cx/afl/'>afl-fuzz</a> - and quickly identified about two dozen possibly exploitable security holes, along with countless denial of service flaws. A small sample of Jodie's findings can be found <a href='http://www.openwall.com/lists/oss-security/2014/12/24/1'>here</a>.
</p>
<p>
Jodie's efforts probably just scratched the surface; after "ImageTragick", a more recent effort by Hanno Boeck uncovered <a href='https://blog.fuzzing-project.org/45-ImageMagick-heap-overflow-and-out-of-bounds-read.html'>even more bugs</a>; from what I understand, Hanno's work also went only as far as using off-the-shelf fuzzing tools. You can bet that, short of a major push to redesign the entire IM codebase, the trickle won't stop any time soon.
</p>
<p>
And so, the advice sorely missing from the "ImageTragick" webpage is this:
</p>
<p>
<ul>
<li>
<p>
If all you need to do is simple transcoding or thumbnailing of potentially untrusted images, don't use ImageMagick. Make a direct use of libpng, libjpeg-turbo, and giflib; for a robust way to use these libraries, have a look at the source code of Chromium or Firefox. The resulting implementation will be considerably faster, too.
</p>
<li>
<p>
If you <i>have to</i> use ImageMagick on untrusted inputs, consider sandboxing the code with <i>seccomp-bpf</i> or an equivalent mechanism that robustly restricts access to all user space artifacts and to the kernel attack surface. Rudimentary sandboxing technologies, such as <i>chroot()</i> or UID separation, are probably not enough.
</p>
<li>
<p>
If all other options fail, be zealous about limiting the set of image formats you actually pass down to IM. The bare minimum is to thoroughly examine the headers of the received files. It is also helpful to explicitly specify the input format when calling the utility, as to preempt auto-detection code. For command-line invocations, this can be done like so:
</p>
<p>
<code>convert [...other params...] -- jpg:input-file.jpg jpg:output-file.jpg</code>
</p>
<p>
The JPEG, PNG, and GIF handling code in ImageMagick is considerably more robust than the code that supports PCX, TGA, SVG, PSD, and the likes.
</p>
</ul>
Michal Zalewskinoreply@blogger.com4tag:blogger.com,1999:blog-383549007228220941.post-27533971796782524452016-02-09T12:45:00.000-08:002016-02-12T12:23:55.544-08:00Automatically inferring file syntax with afl-analyze<p>
The nice thing about the <a href='http://lcamtuf.coredump.cx/afl/technical_details.txt'>control flow instrumentation</a> used by <a href='http://lcamtuf.coredump.cx/afl/'>American Fuzzy Lop</a> is that it allows you to do much more than just, well, fuzzing stuff. For example, the suite has long shipped with a standalone tool called <i>afl-tmin</i>, capable of automatically shrinking test cases while still making sure that they exercise the same functionality in the targeted binary (or that they trigger the same crash). Another similar tool, <i>afl-cmin</i>, employed a similar trick to eliminate redundant files in any large testing corpora.
</p>
<p>
The latest release of AFL features another nifty new addition along these lines: <i>afl-analyze</i>. The tool takes an input file, sequentially flips bytes in this data stream, and then observes the behavior of the targeted binary after every flip. From this information, it can infer several things:
</p>
<ul>
<li> Classify some content as no-op blocks that do not elicit any changes to control flow (say, comments, pixel data, etc).
<li> Checksums, magic values, and other short, atomically compared tokens where any bit flip causes the same change to program execution.
<li> Longer blobs exhibiting this property - almost certainly corresponding to checksummed or encrypted data.
<li> "Pure" data sections, where analyzer-injected changes consistently elicit differing changes to control flow.
</ul>
<p>
This gives us some remarkable and quick insights into the syntax of the file and the behavior of the underlying parser. It may sound too good to be true, but actually seems to work in practice. For a quick demo, let's see what <i>afl-analyze</i> has to say about running <i>cut -d ' ' -f1</i> on a text file:
</p>
<p>
<img src='http://lcamtuf.coredump.cx/afl/analyze-cut.png' width=675 height=290 style='border: 1px solid teal; margin-left: 4ex'>
</p>
<p>
We see that <i>cut</i> really only cares about spaces and newlines. Interestingly, it also appears that the tool always tokenizes the entire line, even if it's just asked to return the first token. Neat, right?
</p>
<p>
Of course, the value of <i>afl-analyze</i> is greater for incomprehensible binary formats than for simple text utilities; perhaps even more so when dealing with black-box parsers (which can be analyzed thanks to the runtime QEMU instrumentation supported in AFL). To try out the tool's ability to deal with binaries, let's check out <i>libpng</i>:
</p>
<p>
<img src='http://lcamtuf.coredump.cx/afl/analyze-readpng.png' width=795 height=263 style='border: 1px solid teal; margin-left: 4ex'>
</p>
<p>
This looks pretty damn good: we have two four-byte signatures, followed by chunk length, four-byte chunk name, chunk length, some image metadata, and then a comment section. Neat, right? All in a matter of seconds: no configuration needed and no knobs to turn.
</p>
<p>
Of course, the tool shipped just moments ago and is still very much experimental; expect some kinks. Field testing and feedback welcome!
</p>Michal Zalewskinoreply@blogger.com4tag:blogger.com,1999:blog-383549007228220941.post-37192327839812323772016-01-14T17:19:00.001-08:002016-01-14T17:19:31.445-08:00Show and tell: doomsday planning for less crazy folk<p>
Yup. I've been quiet of recent, but that's in part because I've been working on this piece:
</p>
<p>
<a href='http://lcamtuf.coredump.cx/prep/'>http://lcamtuf.coredump.cx/prep/</a>
</p>
<p>
It's a fairly systematic and level-headed approach to threat modeling and risk management, except not for computer systems - and instead, for real life. There's not much I can add on top of what's already said on the linked page; have a look, you will probably find it to be an interesting read.
</p>
Michal Zalewskinoreply@blogger.com0tag:blogger.com,1999:blog-383549007228220941.post-50748019251569055172015-10-02T16:42:00.000-07:002016-01-03T11:21:08.508-08:00Subjective explainer: gun debate in the US<div style="color: gray; border: 1px solid gray; padding : 1ex 2ex">
<i>In the wake of the tragic events in Roseburg, I decided to briefly return to the topic of <a href='http://lcamtuf.blogspot.com/2015/07/poland-and-united-states-wrapping-up.html'>looking at the US culture</a> from the perspective of a person born in Europe. In particular, I wanted to circle back to the <a href='http://lcamtuf.blogspot.com/2015/06/poland-vs-united-states-firearms.html'>topic of firearms</a>.</i>
</div>
<p>
Contrary to <a href='http://www.gallup.com/poll/150464/americans-believe-crime-worsening.aspx'>popular beliefs</a>, the United States has witnessed a <a href='http://content.gallup.com/origin/gallupinc/GallupSpaces/Production/Cms/POLL/ldah6rdp6ukvngoyqi1fcg.gif'>dramatic decline</a> in violence over the past 20 years. In fact, when it comes to most types of violent crime - say, robbery, assault, or rape - the country now compares favorably to the UK and many other OECD nations. But as I <a href='http://lcamtuf.blogspot.com/2015/06/a-bit-more-on-firearms-in-us.html'>explored in my earlier posts</a>, one particular statistic - homicide - is still registering about three times as high as in many other places within the EU.
</p>
<p>
The homicide epidemic in the United States has a complex nature and overwhelmingly affects ethnic minorities and other disadvantaged social groups; perhaps because of this, the phenomenon sees very little honest, public scrutiny. It is propelled into the limelight only in the wake of spree shootings and other sickening, seemingly random acts of terror; such incidents, although statistically insignificant, take a profound mental toll on the American society. At the same time, the effects of high-profile violence seem strangely short-lived: they trigger a series of impassioned political speeches, invariably focusing on the connection between violence and guns - but the nation soon goes back to business as usual, knowing full well that another massacre will happen soon, perhaps the very same year.
</p>
<p>
On the face of it, this pattern defies all reason - angering my friends in Europe and upsetting many brilliant and well-educated progressives in the US. They utter frustrated remarks about the all-powerful gun lobby and the spineless politicians, blaming the partisan gridlock for the failure to pass even the most reasonable and toothless gun control laws. I used to be in the same camp; today, I think the reality is more complex than that.
</p>
<p>
To get to the bottom of this mystery, it helps to look at the spirit of radical individualism and classical liberalism that remains the national ethos of the United States - and in fact, is enjoying a degree of resurgence unseen for many decades prior. In Europe, it has long been settled that many individual liberties - be it the freedom of speech or the natural right to self-defense - can be constrained to advance even some fairly far-fetched communal goals. On the old continent, such sacrifices sometimes paid off, and sometimes led to atrocities; but the basic premise of European collectivism is not up for serious debate. In America, the same notion certainly cannot be taken for granted today.
</p>
<p>
When it comes to firearm ownership in particular, the country is facing a fundamental choice between two possible realities:
</p>
<ul>
<li> <p>A largely disarmed society that depends on the state to protect it from almost all harm, and where citizens are generally not permitted to own guns without presenting a compelling cause. In this model, adopted by <a href='http://lcamtuf.blogspot.com/2015/06/poland-vs-united-states-firearms.html'>many European countries</a>, firearms tend to be less available to common criminals - simply by the virtue of limited supply and comparatively high prices in black market trade. At the same time, it can be argued that any nation subscribing to this doctrine becomes more vulnerable to foreign invasion or domestic terror, should its government ever fail to provide adequate protection to all citizens. Disarmament can also limit civilian recourse against illegitimate, totalitarian governments - a seemingly outlandish concern, but also a very fresh memory for many European countries subjugated not long ago under the auspices of the Soviet Bloc.</p>
<li> <p>A well-armed society where firearms are available to almost all competent adults, and where the natural right to self-defense is subject to few constraints. This is the model currently employed in the United States, where it arises from the straightfoward, originalist interpretation of the Second Amendment - as recognized by <a href='http://www.gallup.com/poll/1645/guns.aspx'>roughly 75% of all Americans</a> and affirmed by the Supreme Court. When following such a doctrine, a country will likely witness greater resiliency in the face of calamities or totalitarian regimes. At the same time, its citizens might have to accept some inherent, non-trivial increase in violent crime due to the prospect of firearms more easily falling into the wrong hands.</p>
</ul>
<p>
It seems doubtful that a viable middle-ground approach can exist in the United States. With more than 300 million civilian firearms in circulation, most of them in unknown hands, the premise of reducing crime through gun control would inevitably and critically depend on some form of confiscation; without such drastic steps, the supply of firearms to the criminal underground or to unfit individuals would not be disrupted in any meaningful way. Because of this, intellectual integrity requires us to look at many of the legislative proposals not only through the prism of their immediate utility, but also to give consideration to the societal model they are likely to advance.
</p>
<p>
And herein lies the problem: many of the current "common-sense" gun control proposals have <a href='http://lcamtuf.blogspot.com/2015/06/a-bit-more-on-firearms-in-us.html'>very little merit</a> when considered in isolation. There is scant evidence that reinstating the ban on military-looking semi-automatic rifles ("assault weapons"), or rolling out the prohibition on private sales at gun shows, would deliver measurable results. There is also no compelling reason to believe that ammo taxes, firearm owner liability insurance, mandatory gun store cameras, firearm-free school zones, bans on open carry, or federal gun registration can have any impact on violent crime. And so, the debate often plays out like this:
</p>
<div style='margin-left: 4ex'>
<iframe width="560" height="315" src="https://www.youtube.com/embed/lfcWNFPSGVA" frameborder="0" allowfullscreen></iframe>
</div>
<p>
At the same time, by the virtue of making weapons more difficult, expensive, and burdensome to own, many of the legislative proposals floated by progressives would probably gradually erode the US gun culture; intentionally or not, their long-term outcome would be a society less passionate about firearms and more willing to follow in the footsteps of Australia or the UK. Only as we cross that line and confiscate hundreds of millions of guns, it's fathomable - yet still far from certain - that we would see a sharp drop in homicides.
</p>
<p>
This method of inquiry helps explain the visceral response from gun rights advocates: given the legislation's dubious benefits and its predicted long-term consequences, many pro-gun folks are genuinely worried that making concessions would eventually mean giving up one of their cherished civil liberties - and on some level, they are right.
</p>
<p>
Some feel that this argument is a fallacy, a tell tale invented by a sinister corporate "gun lobby" to derail the political debate for personal gain. But the evidence of such a conspiracy is hard to find; in fact, it seems that the progressives themselves often fan the flames. In the wake of Roseburg, both <a href='https://www.whitehouse.gov/the-press-office/2015/10/01/statement-president-shootings-umpqua-community-college-roseburg-oregon'>Barack Obama</a> and <a href='http://www.cnn.com/2015/10/16/politics/nra-hillary-clinton-guns-democrats/'>Hillary Clinton</a> came out praising the confiscation-based gun control regimes employed in Australia and the UK - and said that they would like the US to follow suit. Depending on where you stand on the issue, it was either an accidental display of political naivete, or the final reveal of their sinister plan. For the latter camp, the ultimate proof of a progressive agenda came a bit later: in response to the terrorist attack in San Bernardino, several eminent Democratic-leaning newspapers published scathing editorials demanding civilian disarmament while downplaying the attackers' connection to Islamic State.
</p>
<p>
Another factor that poisons the debate is that despite being highly educated and eloquent, the progressive proponents of gun control measures are often hopelessly unfamiliar with the very devices they are trying to outlaw:
</p>
<div style='margin-left: 4ex'>
<iframe width="420" height="315" src="https://www.youtube.com/embed/9rGpykAX1fo" frameborder="0" allowfullscreen></iframe>
</div>
<p>
I'm reminded of the widespread contempt faced by Senator Ted Stevens following his attempt to compare the Internet to a "<a href='https://en.wikipedia.org/wiki/Series_of_tubes'>series of tubes</a>" as he was arguing against <a href='https://en.wikipedia.org/wiki/Net_neutrality'>net neutrality</a>. His analogy wasn't very wrong - it just struck a nerve as simplistic and out-of-date. My progressive friends did not react the same way when Representative Carolyn McCarthy - one of the key proponents of the <a href='https://en.wikipedia.org/wiki/Federal_Assault_Weapons_Ban'>ban on assault weapons</a> - showed no understanding of the supposedly lethal firearm features she was trying to eradicate. Such bloopers are not rare, too; not long ago, Mr. Bloomberg, one of the leading progressive voices on gun control in America, argued against semi-automatic rifles without understanding how they differ from the already-illegal machine guns:
</p>
<div style='margin-left: 4ex'>
<iframe width="420" height="315" src="https://www.youtube.com/embed/iV5E30ZY1kQ" frameborder="0" allowfullscreen></iframe>
</div>
<p>
Yet another example comes Representative Diana DeGette, the lead sponsor of a "common-sense" bill that sought to prohibit the manufacture of magazines with capacity over 15 rounds. She <a href='http://www.denverpost.com/politics/ci_22942476/degette-draws-criticism-pretty-stupid-ammo-magazine-comment'>defended the merits of her legislation</a> while clearly not understanding how a magazine differs from ammunition - or that the former can be reused:
</p>
<div style="margin-left: 4ex; font-style: italic">
"I will tell you these are ammunition, they’re bullets, so the people who have those know they’re going to shoot them, so if you ban them in the future, the number of these high capacity magazines is going to decrease dramatically over time because the bullets will have been shot and there won’t be any more available."
</div>
<p>
Treating gun ownership with almost comical condescension has become vogue among a good number of progressive liberals. On a campaign stop in San Francisco, Mr. Obama sketched a caricature of bitter, rural voters who <i>"cling to guns or religion or antipathy to people who aren't like them"</i>. Not much later, one Pulitzer Prize-winning columnist for The Washington Post spoke of the Second Amendment as <i>"the refuge of bumpkins and yeehaws who like to think they are protecting their homes against imagined swarthy marauders desperate to steal their flea-bitten sofas from their rotting front porches"</i>. Many of the newspaper's readers probably had a good laugh - and then wondered why it has gotten so difficult to seek sensible compromise.
</p>
<p>
There are countless dubious and polarizing claims made by the supporters of gun rights, too; examples include a <a href='https://www.youtube.com/watch?v=ag_LjM3x_oQ'>recent NRA-backed tirade</a> by Dana Loesch denouncing the "godless left", or the constant onslaught of conspiracy theories spewed by Alex Jones and Glenn Beck. But when introducing new legislation, the burden of making educated and thoughtful arguments should rest on its proponents, not other citizens. When folks such as Bloomberg prescribe sweeping changes to the American society while demonstrating striking ignorance about the topics they want to regulate, they come across as elitist and flippant - and deservedly so.
</p>
<p>
Given how controversial the topic is, I think it's wise to start an open, national conversation about the European model of gun control and the risks and benefits of living in an unarmed society. But it's also likely that such a debate wouldn't last very long. Progressive politicians like to say that the dialogue is impossible because of the undue influence of the National Rifle Association - but as I discussed in my earlier blog posts, the organization's financial resources and power are often overstated: it does not even make it onto the list of top 100 lobbyists in Washington, and its support comes mostly from member dues, not from shadowy business interests or wealthy oligarchs. In reality, disarmament just happens to be a very unpopular policy in America today: the support for gun ownership is <a href='http://www.gallup.com/poll/1645/guns.aspx'>very strong</a> and has been growing over the past 20 years - even though hunting is on the decline.
</p>
<p>
Perhaps it would serve the progressive movement better to embrace the gun culture - and then think of ways to curb its unwanted costs. Addressing inner-city violence, especially among the disadvantaged youth, would quickly bring the US homicide rate much closer to the rest of the highly developed world. But admitting the staggering scale of this social problem can be an uncomfortable and politically charged position to hold. For Democrats, it would be tantamount to singling out minorities. For Republicans, it would be just another expansion of the nanny state.
</p>
<p style='color: gray'>
<i>PS. If you are interested in a more systematic evaluation of the scale, the impact, and the politics of gun ownership in the United States, you may enjoy an <a href='http://lcamtuf.blogspot.com/2015/06/a-bit-more-on-firearms-in-us.html'>earlier entry</a> on this blog. Or, if you prefer to read my entire series comparing the life in Europe and in the US, <a href='http://lcamtuf.blogspot.com/2015/07/poland-and-united-states-wrapping-up.html'>try this link</a>.</i>
</p>Michal Zalewskinoreply@blogger.com11tag:blogger.com,1999:blog-383549007228220941.post-14265557655240247502015-07-15T14:50:00.004-07:002016-12-04T20:52:31.652-08:00Poland and the United States: all that begins must end <p>
With my previous entry, I wrapped up an impromptu series of articles that chronicled my childhood experiences in Poland and compared the culture I grew up with to the American society that I'm living in today. For the readers who want to be able to navigate the series without scrolling endlessly, I wanted to put together a quick table of contents. Here it goes.
</p>
<p>
<b>The entry that started it all:</b>
</p>
<ul>
<li style='margin-bottom: 1ex'> <a href='http://lcamtuf.blogspot.com/2015/03/on-journeys.html'>"On journeys"</a> - a personal story recounting my travels from Poland to the US.
</ul>
<p>
<b>Oh, the places you won't go:</b>
</p>
<ul>
<li style='margin-bottom: 1ex'> <a href='http://lcamtuf.blogspot.com/2015/05/oh-places-you-wont-go-politics-of-poland.html'>The politics of Poland</a> - a retrospective look at the politics of a state emerging from under a communist rule,
<li style='margin-bottom: 1ex'> <a href='http://lcamtuf.blogspot.com/2015/05/oh-places-you-wont-go-polonia-in-united.html'>Polonia in the United States</a> - looking at the Polish diaspora in the States and its connection to the homeland.
</ul>
<p>
<b>Poland (and Europe) vs the United States:</b>
</p>
<ul>
<li style='margin-bottom: 1ex'> <a href='http://lcamtuf.blogspot.com/2015/06/poland-vs-united-states-firearms.html'>Firearms</a> - a look at the gun culture of the United States (plus some <a href='http://lcamtuf.blogspot.com/2015/06/a-bit-more-on-firearms-in-us.html'>interesting stats</a> and a <a href='https://lcamtuf.blogspot.com/2015/10/subjective-explainer-gun-debate-in-us.html'>debate explainer</a> to boot),
<li style='margin-bottom: 1ex'> <a href='http://lcamtuf.blogspot.com/2015/06/poland-vs-united-states-civil-liberties.html'>Civil liberties</a> - a comparison of the attitudes toward a couple of fundamental freedoms,
<li style='margin-bottom: 1ex'> <a href='http://lcamtuf.blogspot.com/2015/06/poland-vs-united-states-friends.html'>Friends & acquitances</a> - on small talk, interpersonal attitudes, and workplace relationships,
<li style='margin-bottom: 1ex'> <a href='http://lcamtuf.blogspot.com/2015/06/poland-vs-united-states-suburban-sprawl.html'>Suburban sprawl</a> - a look at suburban living and the rural America,
<li style='margin-bottom: 1ex'> <a href='http://lcamtuf.blogspot.com/2015/07/poland-vs-united-states-cutting-edge-of.html'>The cutting edge of technology</a> - the role of high-tech gadgets and design aesthetics in everyday lives,
<li style='margin-bottom: 1ex'> <a href='http://lcamtuf.blogspot.com/2015/07/poland-vs-united-states-crime-and.html'>Crime and punishment</a> - the attitudes to sentencing and incarceration,
<li style='margin-bottom: 1ex'> <a href='http://lcamtuf.blogspot.com/2015/07/poland-vs-united-states-immigration.html'>Immigration</a> - the differing sentiments toward migrants and cultural assimilation,
<li style='margin-bottom: 1ex'> <a href='http://lcamtuf.blogspot.com/2015/07/poland-vs-united-states-governance.html'>Governance</a> - comparing European unitary governments and the United States,
<li style='margin-bottom: 1ex'> <a href='http://lcamtuf.blogspot.com/2015/07/poland-vs-united-states-work-and.html'>Work and entitlements</a> - on employment law and the American Dream,
<li style='margin-bottom: 1ex'> <a href='http://lcamtuf.blogspot.com/2015/07/poland-vs-united-states-american.html'>American exceptionalism</a> - the perils and the necessity of arrogance.
</ul>
And now, back to the regularly scheduled programming..<a href='https://www.youtube.com/watch?v=B1BdQcJ2ZYY'>.</a>Michal Zalewskinoreply@blogger.com3tag:blogger.com,1999:blog-383549007228220941.post-13990609177611682362015-07-15T14:23:00.001-07:002015-11-01T11:18:41.144-08:00Poland vs the United States: American exceptionalism<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>This is the fourteenth article talking about Poland, Europe, and the United States. To explore the entire collection, <a href='http://lcamtuf.blogspot.com/2015/07/poland-and-united-states-wrapping-up.html'>start here</a>.</div>
</p>
<p>
This is destined to be the final entry in the series that opened with a chronicle of my journey from Poland to the United States, only to veer into some of the most interesting social differences between America and the old continent. There are many other topics I could still write about - anything from the school system, to religion, to the driving culture - but with my parental leave coming to an end, I decided to draw a line. I'm sure that this decision will come as a relief for those who read the blog for technical insights, rather than political commentary :-)
</p>
<p>
The final topic I wanted to talk about is something that truly irks some of my European friends: the belief, held deeply by many Americans, that their country is the proverbial <i>"city upon a hill"</i> - a shining beacon of liberty and righteousness, blessed by the maker with the moral right to shape the world - be it by flexing its economic and diplomatic muscles, or with its sheer military might.
</p>
<p>
It is an interesting phenomenon, and one that certainly isn't exclusive to the United States. In fact, expansive exceptionalism used to be a very strong theme in the European doctrine long before it emerged in other parts of the Western world. For one, it underpinned many of the British, French, Spanish, and Dutch colonial conquests over the past 500 years. The romanticized notion of <a href='https://en.wikipedia.org/wiki/Sonderweg'>Sonderweg</a> played a menacing role in German political discourse, too - eventually culminating in the rise of the Nazi ideology and the onset of World War II. It wasn't until the defeat of the Third Reich when Europe, faced with unspeakable destruction and unprecedented loss of life, made a concerted effort to root out many of its nationalist sentiments and embrace a more harmonious, collective path as a single European community.
</p>
<p>
America, in a way, experienced the opposite: although it has always celebrated its own rejection of feudalism and monarchism - and in that sense, it had a robust claim to being a pretty unique corner of the world - the country largely shied away from global politics, participating only very reluctantly in World War I, then hoping to wait out World War II up until being attacked by Japan. Its conviction about its special role on the world stage has solidified only after it paid a tremendous price to help defeat the Germans, to stop the march of the Red Army through the continent, and to build a prosperous and peaceful Europe; given the remarkable significance of this feat, the post-war sentiments in America may be not hard to understand. In that way, the roots of American exceptionalism differed from its European predecessors, being fueled by a fairly pure sense of righteousness - and not by anger, by a sense of injury, or by territorial demands.
</p>
<p>
Of course, the new superpower has also learned that its military might has its limits, facing humiliating defeats in some of the proxy wars with the Soviets and seeing an endless spiral of violence in the Middle East. The voices predicting its imminent demise, invariably present from the <a href='http://www.worldaffairsjournal.org/article/falling-upwards-declinism-box-set'>earliest days</a> of the republic, have grown stronger and more confident over the past 50 years. But the country remains a military and economic powerhouse; and in some ways, its trigger-happy politicians provide a counterbalance to the other superpowers' greater propensity to turn a blind eye to humanitarian crises and to genocide. It's quite possible that without the United States arming its allies and tempering the appetites of Russia, North Korea, or China, the world would have been a less happy place. It's just as likely that the Middle East would have been a happier one.
</p>
<p>
Some Europeans show indignation that Americans, with their seemingly know-it-all attitudes toward the rest of the world, still struggle to pinpoint Austria or Belgium on the map. It is certainly true that the media in the US pays little attention to the old continent. But deep down inside, European outlets don't necessarily fare a lot better, often focusing its international coverage on the silly and the formulaic: when in Europe, you are far more likely to hear about a daring rescue of a cat stuck on a tree in Wyoming, or about the Creation Museum in Kentucky, than you are to learn anything substantive about Obamacare. (And speaking of Wyoming and Kentucky, pinpointing these places on the map probably wouldn't be the European viewer's strongest feat). In the end, Europeans who think they understand the intricacies of US politics are probably about as wrong as the average American making sweeping generalizations about Europe.
</p>
<p>
And on that intentionally self-deprecating note, it's time to wrap the series up.
</p>Michal Zalewskinoreply@blogger.com5tag:blogger.com,1999:blog-383549007228220941.post-73278859879406709422015-07-15T11:58:00.000-07:002015-12-17T00:43:00.207-08:00Poland vs the United States: work and entitlements<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>This is the thirteenth article in a short series about Poland, Europe, and the United States. To explore the entire series, <a href='http://lcamtuf.blogspot.com/2015/07/poland-and-united-states-wrapping-up.html'>start here</a>.</div>
</p>
<p>
In one of my <a href='http://lcamtuf.blogspot.com/2015/06/poland-vs-united-states-civil-liberties.html'>earlier posts</a>, I alluded to the pervasive faith in the American Dream: the national ethos of opportunity, self-sufficiency, and free enterprise that influences the political discourse in the United States. The egalitarian promise of the American Dream is simple: no matter who you are, hard work and ingenuity will surely allow you to achieve your dreams. From that, it follows that on your journey, you are not entitled to much; the government will be there to protect your freedom, but it will not give you a head start.
</p>
<p>
Unlike many of my peers, I suspect that there is truth to the cliche; the United States is a remarkably industrious nation and the home to many of the world's most innovative and fastest-growing businesses. It certainly treads ahead of European economies, still dominated by pre-war industrial conglomerates and former state monopolists, and weighed down by aging populations, highly regulated markets, and inflexible, out-of-control costs. America's mostly-self-made magnates, the likes of Elon Musk, Bill Gates, and Warren Buffett, are also far more likable and seemingly more human than Europe's stereotypical caste of aristocratic families and shadowy oligarchs.
</p>
<p>
On the flip side, the striking upward mobility of rags-to-riches icons such as Steve Jobs or Oprah Winfrey tends to be an exception, not a rule. Many scholars point out that parents' incomes are highly predictive of the incomes of their children - and that in the US, this effect is more pronounced than in some of the European states. Such studies can be misleading, because in less unequal EU societies, moving to a higher income quantile may confer no substantial change in the quality of life - but ultimately, there is no denying that people who are born into poor families will usually remain poor for the rest of their lives. And with the contemporary trends in outsourcing and industrial automation, the opportunities for unskilled blue collar labor - once a key stepping stone in the story of the American Dream - are shrinking fast.
</p>
<p>
In contrast with the United States, many in Europe reject <a href='http://www.amazon.com/Free-Choose-Statement-Milton-Friedman/dp/0156334607/'>Milton Friedman's views on consensual capitalism</a> and hold that it is a basic human right to be able to live a good life or to have an honest and respectable job. This starts with the labor law: in much of the United States, firing an employee can happen in the blink of an eye, for almost any reason - or without giving a reason at all. In Europe, the employer will need a just cause and will go through a lengthy severance period; depending on the circumstances, the company may be also barred from hiring another person to do the same job. Employment benefits follow the same pattern; in the US, paid leave is largely up to employers to decide, with skilled workers being lured with packages that would make Europeans jealous - but many unskilled laborers, especially in the retail and restaurant business, getting the short end of that stick.
</p>
<p>
In Europe, enabling the disadvantaged to contribute to the society and to live fulfilling lives is also a matter of government policy, often implemented through sweeping wealth redistribution - or through public-sector employment orchestrated at a scale that rivals that of quasi-communist China and other authoritarian countries (for example, in France and Greece, about one in three jobs is run by the state). Such efforts tend to be more successful in small and wealthy Scandinavian countries, where the society can be engineered with more finesse. In many other parts of the continent, systemic, long-term poverty is still rampant, with the government being able to do little more than providing people with a lifetime of subsidized basic sustenance and squalor living conditions. Ultimately, when it comes to combating multi-generational poverty, financial aid administered by sprawling national bureaucracies is not always a cure-all.
</p>
<p>
Perhaps interestingly, the benefits that are most frequently described as inadequate in the US are not as strikingly different from what one would be entitled to in the EU. For example, the minimal wage is quite comparable; it is around $2.60 per hour in Poland, about $3.70 in Greece, some $9.30 in Germany, and in the ballpark of $10.00 in the UK. In the US, the national average hovers somewhere around $8.00, with some of the states with higher costs of living on track to raise it to $10.00 within a year or two; in fact, some progressive municipalities are aiming for $15.
</p>
<p>
Unemployment and retirement benefits, although certainly not lavish, also follow the same pattern. When it comes to unemployment in particular, in the States, workers are entitled to about half of their previous salary for up to six months - although that period has been routinely extended in times of economic calamity. In Europe, the figures are roughly comparable, with payments in the ballpark of 50-70% of your previous salary, typically extending for somewhere between 6 and 12 months. The main difference is that the upper limit for monthly benefits tends to be significantly lower in the US than in Europe, often putting far greater strain on single-income families in places with high cost of living. In France, the ceiling seems to be around $8,000 a month; in the US, you will probably see no more than $2,000.
</p>
<p>
Another overlooked dimension of this debate is the unique tradition of charitable giving in the United States - a phenomenon that allows private charities to provide extensive assistance to people in need. Such giving happens on a staggering scale, with citizens donating more than <a href='http://givingusa.org/giving-usa-2015-press-release-giving-usa-americans-donated-an-estimated-358-38-billion-to-charity-in-2014-highest-total-in-reports-60-year-history/'>$350 billion a year</a> - more than twenty times the amount donated in the UK. The bulk of that money goes to organization that provide food, shelter, and counseling to the poor. It is an interesting model, with its own share of benefits and trade-offs: private charities operate on a more local scale and have a far stronger incentive to spend money wisely and provide meaningful aid. On the flip side, their reach is not as universal - and the benefits are not guaranteed.
</p>
<p>
Many of the conservatives who preach the virtues of the American Dream vastly underestimate the pervasive and lasting consequences of being born into poverty or falling onto hard times; they also underestimate the role that unearned privilege and luck played in their own lives. The progressives often do no better, seeing European social democracies as a flawless role model, even in the midst of the enduring sovereign debt crisis in the eurozone; breathlessly reciting knock-off Marxist slogans; and portraying the rich as Mr. Burns-esque villains of unfathomable wealth, motivated by just two goals: to exploit the working class and to avoid paying taxes at any cost. In the end, helping the disadvantaged is a moral imperative - but many ideas sound better on a banner than when implemented as a government policy.
</p>
<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>For the next and final article in the series, <a href='http://lcamtuf.blogspot.com/2015/07/poland-vs-united-states-american.html'>click here</a>.</div>
</p>Michal Zalewskinoreply@blogger.com8tag:blogger.com,1999:blog-383549007228220941.post-45701962486667615782015-07-14T17:35:00.002-07:002015-12-17T00:45:11.310-08:00Poland vs the United States: governance<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>This is the twelfth article in a short series about Poland, Europe, and the United States. To explore the entire series, <a href='http://lcamtuf.blogspot.com/2015/07/poland-and-united-states-wrapping-up.html'>start here</a>.</div>
</p>
<p>
The American model of government is a complex beast. To a visitor from continental Europe, accustomed to the Napoleonic traditions of civil law and to the political realities of unitary states, the sight can be also a bit perplexing: after all, how does a country of this size prosper with a bitterly partisan, gridlocked Congress that repeatedly fails to even pass the budget on time? And how is it possible that, with an <a href='http://www.gallup.com/poll/180113/2014-approval-congress-remains-near-time-low.aspx'>approval rating of 15%</a>, the elected officials are not facing a wave of widespread social unrest?
</p>
<p>
I suspect that the key to solving this riddle lies in the fact that the United States is still very much a federation of self-governing states - and that most of the decisions that affect the lives of ordinary citizens are not made in Washington. Each and every state establishes its own criminal and civil law, levies its own taxes, runs its own welfare systems, and appoints its own judges - sometimes by popular vote. In fact, the states routinely confer far-reaching powers onto individual municipalities: for example, most towns and counties operate their own, completely autonomous police departments that respond to local officials, not to a career politician on the East Coast.
</p>
<p>
All this makes the government feel quite different from what you are likely to experience in Europe. Let's stick to law enforcement: in Poland and in some other European states, where the police are a part of a sprawling national bureaucracy, the citizens may have very few options for addressing concerns that do not rise to the level of national debate. In the US, dismantling the entire police force may seem trivial in comparison: the concerned citizens may need to get a local newspaper interested in their cause, then band together to recall the local official who is ultimately on the hook. Of course, the independence comes at a price: small, self-funded police departments can be quicker to adopt questionable practices that would not stand to broader scrutiny, such as racial profiling or the rash application of <a href='https://en.wikipedia.org/wiki/Civil_forfeiture_in_the_United_States'>civil forfeiture</a>.
</p>
<p>
When it comes to the role of the federal government, the picture is complicated. In principle, the constitution gives it only a couple of duties; for example, the feds control various aspects of interstate commerce, print money, maintain armed forces, and handle foreign affairs. Of course, over the years, their responsibilities have expanded considerably, with the legislators exploiting the vagueness of the concept of "interstate commerce" in all sorts of <a href='https://en.wikipedia.org/wiki/Gun-Free_School_Zones_Act_of_1990#Challenges'>creative ways</a>. Today, the ongoing debate about the appropriate boundaries of this practice fuels the partisan gridlock in Washington. Modern-day Republicans, swayed by the conservative <a href='https://en.wikipedia.org/wiki/Tea_Party_movement'>Tea Party movement</a>, argue that the feds should honor the vision of the Founding Fathers and not meddle in the affairs of the states. The Democratic party, taking notes from the vaguely leftist <a href='https://en.wikipedia.org/wiki/Occupy_Wall_Street'>Occupy campaign</a>, increasingly sees the federal government as a flexible tool for establishing country-wide standards of environmental protection, labor rights, welfare, gun control, education, and other progressive causes historically associated with European social democrats.
</p>
<p>
On that matter, the voters themselves seem to be split. In <a href='http://www.gallup.com/poll/27286/government.aspx'>polls</a>, a robust majority of Americans declare that their government regulates too many aspects of their lives, tries to solve too many problems, wields too much control, and is inherently less efficient and less fair than private enterprises; about two-thirds of respondents see the feds as more of a problem than a solution, and a shocking 50% believe that the apparatus poses an immediate and serious threat to civil liberties. Yet, despite holding views that would make Milton Friedman proud, when asked about specific programs and entitlements - be it defense spending or Medicare - most voters oppose budget cuts. Ultimately, the equally powerful distrust of big corporations, coupled with the allure of European-style welfare systems, often sends the public into the embrace of big-government progressives who promise to solve a growing range of societal ills using federal-level income redistribution and overarching legislative frameworks.
</p>
<p>
Either way, owing to the parties' newly-found tendency to pander to populist fringes and their inability to compromise, the dysfunctional Congress gets very little love from the average voter; but somewhat paradoxically, the representatives from each and every district are usually well-liked by their own constituents and get reelected with ease. Some blame <a href='https://en.wikipedia.org/wiki/Gerrymandering_in_the_United_States'>gerrymandering</a>, but a simpler explanation exists: most of the candidates have strong ties to the districts they represent, many of them having a track record as local politicians or successful businessmen. As a result, they understand what matters to their constituents and often meaningfully work to advance that agenda. They also live and die at the mercy of local newspapers, sometimes lending a hand to the voters who write or call them to resolve bureaucratic hurdles and address other everyday grievances. The practice of getting your representatives involved in such matters is almost unthinkable in Poland, where the slots on local ballots are traded by party officials - and are routinely handed out to people with little or no connection to the region they are supposed to represent.
</p>
<p>
With American political campaigns financed from private funds, it is often argued that the representatives in Congress are disproportionately influenced by the wealthy few and by a variety of organized lobby groups. This is likely true, although the disparity is at least partly offset by the public's fascination with human interest stories and the tendency to root for the common folk. Ultimately, even the most cynical congresspeople can afford to be persuaded by money only when it comes to the topics that their constituents are fairly indifferent to.
</p>
<p>
Beyond the legislative and executive branches of the government, some distinct undertones of self-governance are present in the US judicial system, too. The country borrows from the traditions of British common law, rather than the civil law system utilized in much of continental Europe. It embraces the significance of legal precedent and emphasizes humanist values over the strict application of legal codes, with remarkably broad powers vested in the judges and in the juries of peers - up to the notion of <a href='https://en.wikipedia.org/wiki/Jury_nullification_in_the_United_States'>jury nullification</a>. Ultimately, the system seeks to limit the consequences of the fallibility of legislators, who often struggle to properly consider all the implications of the laws they pass; it trades it for the increased risk of fallible courts - who bring in their own subconscious biases into the mix.
</p>
<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>For the next article in the series, <a href='http://lcamtuf.blogspot.com/2015/07/poland-vs-united-states-work-and.html'>click here</a>.</div>
</p>Michal Zalewskinoreply@blogger.com0tag:blogger.com,1999:blog-383549007228220941.post-50483429005828931182015-07-06T22:09:00.004-07:002015-12-17T00:54:59.308-08:00Poland vs the United States: immigration<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>This is the eleventh article in a short series about Poland, Europe, and the United States. To explore the entire series, <a href='http://lcamtuf.blogspot.com/2015/07/poland-and-united-states-wrapping-up.html'>start here</a>.</div>
</p>
<p>
There are quite a few corners of the world where the ratio of <a href='https://en.wikipedia.org/wiki/List_of_countries_by_immigrant_population'>immigrants to native-born citizens</a> is remarkably high. Many of these places are small or rapidly growing countries - say, Monaco or Qatar. Some others, including several European states, just happen to be on the receiving end of transient, regional demographic shifts; for example, in the past decade, over 500,000 people moved from Poland to the UK. But on the list of foreigner-friendly destinations, the US deserves a special spot: it is an enduring home to by far the largest, most diverse, and quite possibly best-assimilated migrant population in the world.
</p>
<p>
The inner workings of the American immigration system are a fascinating mess - a tangle of complex regulation, of multiple overlapping bureaucracies, and of quite a few unique social norms. The bureaucratic machine itself is ruthlessly efficient, issuing several million non-tourist visas and processing over 700,000 naturalization applications every year. But the system is also marred by puzzling dysfunction: for example, it allows highly skilled foreign students to attend US universities, sometimes granting them scholarships - only to show many of them the door the day they graduate. It runs a restrictive H-1B visa program that ties foreign workers to their petitioning employers, preventing them from seeking better wages - thus artificially depressing the salaries of some citizen and permanent resident employees who now have to compete with H-1B captives. It also neglects the countless illegal immigrants who, with the tacit approval of legislators and business owners, prop up many facets of the economy - but are denied the ability to join the society even after decades of staying out of trouble and doing honest work.
</p>
<p>
Despite being fairly picky about the people it admits into its borders, in many ways, the United States is still an exceptionally welcoming country: very few other developed nations unconditionally bestow citizenship onto all children born on their soil, run immigration lotteries, or allow newly-naturalized citizens to invite their parents, siblings, and adult children over, no questions asked. At the same time, the US immigration system has a shameful history of giving credence to populist fears about alien cultures - and of implementing <a href='https://en.wikipedia.org/wiki/Immigration_Act_of_1924'>exclusionary policies</a> that, at one time or another, targeted anyone from the Irish, to Poles, to Arabs, to people from many parts of Asia or Africa. Some pundits still find this sort of scaremongering fashionable, now seeing Mexico as the new threat to the national identity and to the American way of life. The claim made very little sense 15 years ago - and makes even less of it today, as the migration from the region has <a href='http://www.pewhispanic.org/files/2012/04/2012-phc-mexican-migration-03a.png'>dropped precipitously</a> and has been eclipsed by the inflow from other parts of the world.
</p>
<p>
The contradictions, the dysfunction, and the occasional prejudice aside, what always struck me about the United States is that immigration is simply a part of the nation's identity; the principle of welcoming people from all over the world and giving them a fair chance is an axiom that is seldom questioned in any serious way. <a href='https://www.census.gov/prod/2004pubs/c2kbr-35.pdf'>When surveyed</a>, around 80% Americans can identify their own foreign ancestry - and they often do this with enthusiasm and pride. Europe is very different, with national identity being a more binary affair; I always felt that over there, accepting foreigners is seen as a humanitarian duty, not an act of nation-building - and that this attitude makes it harder for the newcomers to truly integrate into the society.
</p>
<p>
In the US, as a consequence of treating contemporary immigrants as equals, many newcomers face a strong social pressure to make it on their own, to accept American values, and to adopt the American way of life; it is a powerful, implicit social contract that very few dare to willingly renege on. In contrast to this, post-war Europe approaches the matter differently, seeing greater moral value in letting the immigrants preserve their cultural identity and customs, with the state stepping in to help them jumpstart their new lives through a variety of education programs and financial benefits. It is a noble concept, although I'm not sure if the compassionate European approach always worked better than the more ruthless and pragmatic American method: in France and in the United Kingdom, massive migrant populations have been condemned to a life of exclusion and hopelessness, giving rise to social unrest and - in response - to powerful anti-immigrant sentiments and policies. I think this hasn't happened to nearly the same extent in the US, perhaps simply because the social contract is structured in a different way - but then, I know eminently reasonable folks who would disagree.
</p>
<p>
As for my own country of origin, it occupies an interesting spot. Historically a cosmopolitan nation, Poland has lost much of its foreign population and ethnic minorities to the horrors of World War II and to the policies implemented within the Soviet Bloc - eventually becoming one of the most culturally and ethnically homogeneous nations on the continent. Today, migrants comprise <a href='http://europa.eu/rapid/press-release_STAT-12-105_en.doc'>less than 1%</a> of its populace, and most of them come from the neighboring, culturally similar Slavic states. Various flavors of xenophobia run deep in the society, playing right into the recent pan-European anti-immigration sentiments. As I'm writing this, Poland is fighting the European Commission tooth and nail not to take three thousand asylum seekers from Syria; many politicians and pundits want to first make sure that all the refugees are of Christian faith. For many Poles, reasonable concerns over non-assimilation and extremism blend with a wholesale distrust of foreign cultures.
</p>
<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>For the next article in the series, <a href='http://lcamtuf.blogspot.com/2015/07/poland-vs-united-states-governance.html'>click here</a>.</div>
</p>Michal Zalewskinoreply@blogger.com7tag:blogger.com,1999:blog-383549007228220941.post-49931231184093691682015-07-05T00:19:00.000-07:002015-12-05T20:58:59.354-08:00Poland vs the United States: crime and punishment<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>This is the tenth article in a short series about Poland, Europe, and the United States. To explore the entire series, <a href='http://lcamtuf.blogspot.com/2015/07/poland-and-united-states-wrapping-up.html'>start here</a>.</div>
</p>
<p>
Throughout much of its history, the United States has been a comparatively violent nation. From the famed lawlessness of the western frontier, to the brawling biker gangs, to the iconic Italian Mafia and the fearsome Mexican drug cartels, the thirst for blood has left a mark on the American psyche - and profoundly influenced many of the country's most cherished works of literary and cinematic art.
</p>
<p>
But sooner or later, a line gets drawn. And so, when a tidal wave of violent crime swept the nation in the late 80s, the legislators and the executive branch felt obliged to act. Many wanted to send a message to the criminal underworld by going after it with relentless and uncompromising zeal - kicking off the multi-decade War on Drugs and rolling out policies such as the <a href='https://en.wikipedia.org/wiki/Three-strikes_law'>three strikes law</a> in California or <a href='https://en.wikipedia.org/wiki/Stop-and-frisk_in_New_York_City'>stop-and-frisk</a> in New York City. Others saw the root of all evil in the <a href='http://lcamtuf.blogspot.com/2015/06/a-bit-more-on-firearms-in-us.html'>pervasive gun culture</a> of the United States - successfully outlawing the possession or carry of certain classes of firearms and establishing a nation-wide system of background checks.
</p>
<p>
And then, in the midst of these policy changes, something very interesting started to unfold: the crime rate <a href='http://www.decisionsonevidence.com/wp-content/uploads/2011/12/Estimated-Violent-Crime-Rate-US-Total-1960-2009.png'>plunged like a rock</a>, dropping almost 50% over the course of twenty years. But why? Well, the funny thing is, <a href='http://www.vox.com/cards/crime-rate-drop'>nobody could really tell</a>. The proponents of tough policing and the War on Drugs tooted their own horns; but less vindictive municipalities that adopted programs of community engagement and proactive policing heralded broadly comparable results. Gun control advocates claimed that getting AR-15s and handguns off the streets made a difference; gun rights activists found little or no crime gap between the gun-friendly and the gun-hostile states. Economists pointed out that people were living better, happier, and longer lives. Epidemiologists called out the elimination of lead - an insidious developmental neurotoxin - from paints and gasoline. Some scholars have gone as far as claiming that easy access to contraception and abortion caused fewer children to be born into multi-generational poverty and to choose the life of crime.
</p>
<p>
Europe certainly provided an interesting contrast; the old continent, having emerged from two unspeakably devastating and self-inflicted wars, celebrated its newly-found pacifist streak. Its modern-day penal systems reflected the philosophy of reconciliation - abolishing the death penalty and placing greater faith in community relationships, alternative sentencing, and the rehabilitation of criminals. A person who served a sentence was seen as having paid the dues: in Poland and many other European countries, his or hers prospective employers would be barred from inquiring about the criminal record, and the right to privacy would keep the indictments and court records from public view.
</p>
<p>
It's hard to say if the European model worked better when it comes to combating villainy; in the UK, crime trends <a href='http://www.ons.gov.uk/ons/resources/figure4_tcm77-273046.png'>followed the US trajectory</a>; in Sweden, they <a href='http://i23.photobucket.com/albums/b390/Camlon/crimeUS_Sweden.png'>did the opposite</a>. But the utilitarian aspect of the correctional system aside, the US approach certainly carries a heavy humanitarian toll: the country maintains a truly astronomical prison population, disproportionately comprised of ethnic minorities and the poor; recidivism rates are high and overcrowding in some penitentiary systems <a href='http://www.nytimes.com/2011/05/24/us/24scotus.html'>borders on the inhumane</a>.
</p>
<p>
Untangling this mess is not easy; most Americans <a href='http://www.gallup.com/poll/1603/crime.aspx'>seriously worry about crime</a> and see it as a growing epidemic, even if their beliefs are not substantiated by government-published stats. Perhaps because of this, they favor tough policing; reports of potential prosecutorial oversight - such as the recent case of a <a href='http://www.cnn.com/2015/07/03/us/san-francisco-killing-suspect-immigrant-deported/'>tragic homicide in San Francisco</a> - tend to provoke broader outrage than any comparable claims of overreach. Similarly, police brutality or prison rape are widely acknowledged and even joked about - but are seen as something that only ever happens to the bad folks.
</p>
<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>For the next article in the series, <a href='http://lcamtuf.blogspot.com/2015/07/poland-vs-united-states-immigration.html'>click here</a>.</div>
</p>
Michal Zalewskinoreply@blogger.com0tag:blogger.com,1999:blog-383549007228220941.post-13846744294055045582015-07-04T00:15:00.000-07:002015-07-15T19:52:27.809-07:00Poland vs the United States: the cutting edge of technology<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>This is the ninth article in a short series about Poland, Europe, and the United States. To explore the entire series, <a href='http://lcamtuf.blogspot.com/2015/07/poland-and-united-states-wrapping-up.html'>start here</a>.</div>
</p>
<p>
No matter what's your take on the United States, there is no denying that the country has been on the forefront of scientific and industrial progress for much of the past century. In that time frame alone, the nation's research institutions and corporations have made countless fundamental contributions to almost every single aspect of contemporary technology - from polymer science, to computing, to aviation, to medicine, to nuclear power, to space exploration, to communications, to modern warfare.
</p>
<p>
Given the country's track record of relentless innovation, one would expect its residents to be quick to embrace technological novelties and futuristic design trends. But when it comes to everyday living, I find that the opposite is often more true. Let's take banking: many of my Polish friends recoil in terror when they find out that the world's most sophisticated financial system still settles many private transactions by writing checks; that in stores, you usually swipe the magnetic strip and scribble your name on a piece of paper; or that sending a wire transfer usually involves a trip to your bank, a hefty fee, and waiting a couple of days.
</p>
<p>
For many of them, it must be equally perplexing to visit a typical well-off American home. Kitchens are a good example: in much of continental Europe, the standard of upscale kitchen architecture tends to revolve around <a href='http://ramani.pl/wp-content/uploads/2013/01/PROJEKT-KUCHNI-NOCNA.jpg'>sleek, sterile looks</a> constructed out of flat panes of glass, steel, plastic, and concrete; the drawers and cabinets will cleverly blend in to reveal <a href='https://www.questodesign.com/media/catalog/product/cache/1/image/600x600/9df78eab33525d08d6e5fb8d27136e95/o/n/one_slot_toaster_detail_3.jpg'>space-age appliances</a> hidden inside. The kitchen is, in essence, the embodiment of technological progress and of modern design aesthetics.
</p>
<p>
In the US, the European school of design has gained some foothold in pricey downtown apartments targeted at the wealthy youth - but the dominant, all-American archetype looks nothing like it. Many of the newly-built houses will feature old-fashioned, bulky granite countertops and ornate but functionally basic <a href='http://www.americankitchencabinets.net/American_Kitchen_Cabients/Welcome_files/Behrens%20Kitchen.jpg'>colonial-style wooden carpentry</a>; most of the fancy small appliances will feel like they were pulled <a href='http://lgcdn.220-electronics.com/media/catalog/product/cache/1/image/9df78eab33525d08d6e5fb8d27136e95/2/2/220-volt-kitchenaid-artisan-stand-mixer-pistachio.jpg'>straight out of the 30s</a>, too. Decorative details, such as crown moldings, vaulted ceilings, and marble columns are thrown in to differentiate luxury developments from the housing available to the middle class. Elsewhere in the house, <a href='http://www.bestrentsplus.com/wp-content/uploads/2012/12/WHIRLPOOL.jpg'>featureless top-loading washing machines</a> and <a href='http://www.proluxcleaners.com/media/catalog/product/cache/4/image/9df78eab33525d08d6e5fb8d27136e95/g/r/great_vacs_130107-66_1_1k.jpg'>clunky upright vacuums</a> are a common sight.
</p>
<p>
The contrast is interesting and difficult to explain; it's certainly not that Americans are Luddites: they are quick to take lead with many types of utilitarian technologies. The country pioneered and popularized everything from refrigerators, to air conditioning, to dishwashers, to automatic transmission, to smartphones, to microwaves. It's also not that the residents show special reverence to the traditions of the bygone days. Perhaps the utilitarian principle is key: it may be that consumers judge many of their purchases based the utility and lasting value of the durable goods, more than their novelty or the image said goods may project.
</p>
<p>
If so, the observation would fly in the face of the country's reputation for rampant consumerism, a stereotype frequently contrasted with the meditated sophistry of Europe. But then, the conclusion may be overly broad: even within the United States, there are many interesting differences in how tangible goods are used to signal personal wealth. In Los Angeles or Miami, just like in much of Europe, luxury sports vehicles are a widely accepted symbol of affluence. In Silicon Valley, the practice is frowned upon, with many of the dot-com millionaires living in unassuming homes and driving fuel-efficient cars. Perhaps this is a matter of social conscience; perhaps of having different priorities; and perhaps simply of fearing that they would be vilified by the society.
</p>
<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>For the next article in the series, <a href='http://lcamtuf.blogspot.com/2015/07/poland-vs-united-states-crime-and.html'>click here</a>.</div>
</p>
Michal Zalewskinoreply@blogger.com2tag:blogger.com,1999:blog-383549007228220941.post-57320455150521014012015-06-29T16:41:00.000-07:002016-02-29T23:24:12.868-08:00Poland vs the United States: suburban sprawl<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>This is the eighth article in a short series about Poland, Europe, and the United States. To explore the entire series, <a href='http://lcamtuf.blogspot.com/2015/07/poland-and-united-states-wrapping-up.html'>start here</a>.</div>
</p>
<p>
If you live in any other western country, your perception of the United States is bound to be profoundly influenced by Hollywood. You may think you're immune to it, but you are not: sure, you can sneer at the ridiculous plot holes or the gratuitous patriotism in American blockbusters - but the establishing shots of high-rise cityscapes of Manhattan or Los Angeles will be seared into your mind. These images will color your expectations and your understanding of the country in more ways than you may expect.
</p>
<p>
Because of this phenomenon, urban dwellers from Europe who come to visit the US may be in for a surprise: the country will probably feel a lot more rural than they would have thought. They will get to marvel the grand cities and the iconic skyscrapers; but chances are, this scenery will quickly morph not into the familiar urban jungle of massive apartment blocks seen throughout much of Europe, but into the <a href='http://a.fastcompany.net/multisite_files/fastcompany/poster/2014/04/3028661-poster-p-suburb-az.jpg'>endless suburban sprawl</a> of single-family homes and strip malls.
</p>
<p>
For most Americans, this vast, low-density suburban landscape is the backdrop of their everyday lives. Take San Francisco: just 800,000 people live in the city proper. The San Francisco Bay Area, the home to 8 million residents and the location of the largest and most influential tech hub in the world, is nothing more than an enormous stretch of greenery peppered with detached homes, unassuming two-story office buildings, and roadside car dealerships. Heck, even New York City, by far the largest urban conglomeration in America, is just a blip on the radar compared to the colossal suburban sprawl that engulfs the region - <a href='https://en.wikipedia.org/wiki/Northeast_megalopolis'>stretching all the way</a> from Massachusetts to Washington D.C.
</p>
<p>
The raw numbers paint a similar picture: in Poland, the average population density is around 125 people per square kilometer; in the more densely populated Germany, the figure is closer to 220. In comparison, with fewer than 35 people per km<sup>2</sup>, the United States comes out looking like a barren wasteland. The country has many expanses of untouched wilderness - and quite a few rural regions where the residents get by without as little as a <a href='http://www.theatlantic.com/magazine/archive/2013/01/where-the-streets-have-no-name/309186/'>postal address</a>, a nearby fire station, a police department, or a hospital.
</p>
<p>
Awareness of the predominantly suburban and rural character of much of the US is vital to understanding some the national stereotypes that may seem bizarre or archaic to urban-dwelling Europeans. It certainly helps explain the limited availability of public transportation, or the residents' love for rifles and gas-guzzling pickup trucks. The <a href='http://lcamtuf.coredump.cx/prep/'>survivalist "prepper" culture</a>, focused on self-sufficiency in the face of disaster, is another cultural phenomenon that although seemingly odd, is not just pure lunacy; in the past few decades, millions of Americans had to <a href='https://en.wikipedia.org/wiki/List_of_mass_evacuations#21st_century'>evacuate or dig in</a> in response to hurricanes, wildfires, earthquakes, or floods.
</p>
<p>
The stark difference between urban and rural living can also make it easier to grasp some of the ideological clashes between the big-city liberal progressives and the traditionally conservative dwellers of the so-called "flyover states". Sometimes, the conservatives are simply on the wrong side of history; but on some other occasions, the city-raised politicians, scholars, and journalists are too eager to paint the whole nation with the same brush. Take something as trivial as car efficiency standards: they will rub you one way if you take subway to the office and drive your compact car to the grocery store; and another if you ever needed to haul firewood or construction materials on the back of your Ford F-150.
</p>
<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>For the next article in the series, <a href='http://lcamtuf.blogspot.com/2015/07/poland-vs-united-states-cutting-edge-of.html'>click here</a>.</div>
</p>
Michal Zalewskinoreply@blogger.com1tag:blogger.com,1999:blog-383549007228220941.post-74993545001150182952015-06-28T02:04:00.000-07:002015-07-15T19:50:57.695-07:00Poland vs the United States: friends & acquaintances<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>This is the seventh article in a short series about Poland, Europe, and the United States. To explore the entire series, <a href='http://lcamtuf.blogspot.com/2015/07/poland-and-united-states-wrapping-up.html'>start here</a>.</div>
</p>
<p>
Cultural stereotypes are a dangerous and corrosive thing. They teach us that Poles are a tribe of thieving simpletons; or that Americans are arrogant, violent, and obese. And that's just the ethnicities that get off easy: the perception of blacks, Muslims, or European Jews can be far more vicious, often serving a pretext for violent hate crime.
</p>
<p>
At the same time, there is no denying that certain unique archetypes are etched into the fabric of every society. I'd also posit that when cultures come into contact with each other, there is an <a href='https://en.wikipedia.org/wiki/Uncanny_valley'>uncanny valley</a> effect at play: the more similar the nations are, the easier it is for travelers to instinctively pick up the subtle variations - and to misread them as the personality quirks of the people they interact with.
</p>
<p>
For Poles who settle in the United States, the most striking contrast of this sort must be the persistence with which Americans want to engage in oddly personal small talk: you will be always greeted with <i>"how are you?"</i>, be it by the cashier at a grocery store, by your mailman, by the park ranger met at a trail, or by the waiter serving your food at a restaurant. The social expectation is to share short pleasantries or announce a brief piece of good news. But if your answer is overly specific or focuses on a negative event, you may be given quizzical looks and the conversation will stall.
</p>
<p>
To many of my compatriots, the exchange - lacking any apparent purpose - feels uncomfortable and insincere. I try not to look at it in a cynical way: the upbeat chit-chat, repeated over and over again, can probably make your day a bit better and a tad more fun. This constrained form of communication also provides something to build on the next time you see that person, even if every individual interaction is necessarily non-committal and brief.
</p>
<p>
Another explanation for the forced positivity may have to do with the pervasive can-do spirit at the core of the American culture. The national ethos of self-determination and unconstrained social mobility flies in the face of the daily struggles of disadvantaged citizens - but it remains a fundamental part of the cultural identity of the United States. The American Dream manifests itself everywhere, from the country songs of the Midwest to the high-tech entrepreneurship of the Silicon Valley. Your friends, coworkers, neighbors, and even complete strangers are there to support you when true calamity strikes - but dwelling on everyday mishaps is almost universally seen as a weakness that one needs to overcome in order to succeed in life.
</p>
<p>
In this regard, the Polish culture is strikingly different. After hundreds of years of political repression and foreign control, Poles have developed a colorful tradition of sarcastic humor and idle lamentation. This coping mechanism functions to this day: to a Pole, being asked about your day is seen as an invitation to air all the petty grievances; you wouldn't expect a friend to smile, exclaim <i>"I'm doing great!"</i>, and move on. Complaining about politics or work is how you build rapport with your peers. In fact, being overly upbeat or talking about professional success or accomplishment is likely to be met with suspicion or scorn. If you're a successful entrepreneur, you will probably open by complaining about your dealings with the Polish equivalent of the IRS.
</p>
<p>
In many ways, the Polish approach to chit-chat is more genuine and less rigid. At the same time, I feel that the negativity comes at a price; meeting a cranky clerk at a store sets the tone for the remainder of your day. The constant pessimism can also dampen some altruistic instincts: relatively few people in Poland get engaged in their communities or dedicate themselves to other forms of civic service. It is more accepted to just complain about the ways things are.
</p>
<p>
Interestingly, in the United States, the boundaries that govern the conversations with complete strangers also extend into the workplace. When interacting with casual acquaintances, sarcasm is seen as jarring, while petty grumbling is perceived as an off-putting and unproductive personality trait. Off-color humor, widely tolerated in Poland, is usually inappropriate in white collar environments; doubly so if it comes at the expense of women, immigrants, or other disadvantaged social groups.
</p>
<p>
Some Europeans characterize the workplace etiquette in the US as political correctness run amok. There are situations where political correctness can stifle free speech, but I don't think it's one of them; for most part, not hearing political rants or jokes about blondes or Jews just makes the world a bit better, even if the comments are uttered with no ill intent. Violating these rules will not necessarily get you in trouble, but in a culturally diverse society, it can make it harder to find new friends.
</p>
<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>For the next article in the series, <a href='http://lcamtuf.blogspot.com/2015/06/poland-vs-united-states-suburban-sprawl.html'>click here</a>.</div>
</p>
Michal Zalewskinoreply@blogger.com6tag:blogger.com,1999:blog-383549007228220941.post-51382079391276055392015-06-23T12:42:00.000-07:002015-12-17T00:57:27.724-08:00Poland vs the United States: civil liberties<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>This is the sixth article in a short series about Poland, Europe, and the United States. To explore the entire series, <a href='http://lcamtuf.blogspot.com/2015/07/poland-and-united-states-wrapping-up.html'>start here</a>.</div>
</p>
<p>
I opened my comparison of Poland and the US with the topic of <a href='http://lcamtuf.blogspot.com/2015/06/poland-vs-united-states-firearms.html'>firearm ownership</a>. I decided to take this route in part because of how alien the US gun culture may appear to outsiders - and because of how polarizing and interesting the subject is. But in today's entry, I wanted to take a step back and have a look at the other, more traditional civil liberties that will be more familiar to folks on the other side of the pond.
</p>
<p>
Before we dive in, it is probably important to note that the national ethos of the United States is very expressly built on the tradition of radical individualism and free enterprise - as championed by thinkers such as Milton Friedman, Friedrich Hayek, or Adam Smith. Of course, many words can be written about the disconnect between this romanticized vision and complex realities of entrepreneurship or social mobility in the face of multi-generational poverty - but the perception still counts: in much of Europe, the government is seen less as a guarantor of civil liberties, and more as a provider of basic needs. The inverse is more true in the US; the armed forces and small businesses enjoy the two top spots in <a href='http://www.gallup.com/poll/1597/confidence-institutions.aspx'>institutional trustworthiness surveys</a>; federal legislators come dead last. This sentiment shapes many of the ongoing political debates - not just around individual freedoms, but also as related to public healthcare or the regulation of commerce. The virtues of self-sufficiency and <i>laissez-faire</i> capitalism seem far more self-evident to the citizens of the US than they are in the EU.
</p>
<p>
With that in mind, it's worthwhile to start the comparison with the freedom of speech. A cherished tradition in the western world, this liberty is nevertheless subordinate to a number of collectivist social engineering goals across the whole old continent; for example, strong prohibitions exist on the promotion of Nazi ideology or symbolism, or on the mere practice of <a href='https://en.wikipedia.org/wiki/Laws_against_Holocaust_denial'>denying the Holocaust</a>. The freedom of speech is also broadly trumped by the right to privacy, including the hotly-debated <a href='https://en.wikipedia.org/wiki/Right_to_be_forgotten'>right to be forgotten</a> on the Internet. Other, more exotic restrictions implemented in several places in Europe include the prohibition against disrespecting the religious beliefs of others or insulting any acting head of state; in Poland, people have been prosecuted for hurling childish insults at the Pope or at the outgoing Polish president. Of course, the enforcement is patently selective: in today's political climate, no one will be charged for calling Mr. Putin a thug.
</p>
<p>
The US takes a more absolutist view of the First Amendment, with many hate groups enjoying <a href='https://en.wikipedia.org/wiki/Westboro_Baptist_Church'>far-reaching impunity</a> enshrined in the judicial standards put forward not by politicians, but by the unusually powerful US Supreme Court. The notion of "speech" is also interpreted very broadly, extending to many forms of artistic, religious, and political expression; in particular, the European <a href='https://en.wikipedia.org/wiki/French_ban_on_face_covering'>niqab and burka bans</a> would be patently illegal in the United States and aren't even the subject of serious debate. The concept of homeschooling, banned or heavily regulated in some parts of Europe, is <a href='http://www.usatoday.com/story/news/politics/2015/03/18/house-judiciary-committee-immigration-enforcement-bills/24960965/'>seen by some</a> through the same constitutional prism: it is your right to teach your children about <a href='https://en.wikipedia.org/wiki/Young_Earth_creationism'>Young Earth creationism</a>, and the right trumps any concerns over the purported social costs. Last but not least, there is the controversial <a href='https://en.wikipedia.org/wiki/Citizens_United_v._FEC'>Citizens United</a> decision, holding that some forms of financial support provided to political causes can be equated with constitutionally protected speech; again, the ruling came not from the easily influenced politicians, but from the Supreme Court.
</p>
<p>
As an aside, despite the use of freedom-of-speech restrictions as a tool for rooting out anti-Semitism and hate speech in Europe, the contemporary US may be providing a less fertile ground for racism and xenophobia than at least some parts of the EU. The country still struggles with its dark past and the murky reality of racial discrimination - but despite the stereotypes, the incidence of at least some types of casual racism in today's America seems <a href='http://www.washingtonpost.com/blogs/worldviews/files/2013/05/racism-map.jpg'>lower</a> than in much of Europe. The pattern is also evident in political discourse; many of the openly xenophobic opinions or legislative proposals put forward by European populist politicians would face broad condemnation in the US. Some authors argue that the old continent is facing a profound new wave of Islamophobia and
<a href='http://www.theatlantic.com/features/archive/2015/03/is-it-time-for-the-jews-to-leave-europe/386279/'>hatred toward Jews</a>; in countries such as Greece and Hungary, more than 60% of population seems to be holding such views. In Poland, more than 40% say that Jews hold <a href='http://www.adl.org/assets/pdf/israel-international/european_attitudes_may_2005.pdf'>too much influence in business</a> - a surreal claim, given that that there are just several thousand Jews living in the country of 38 million. My own memories from growing up in that country are that of schoolkids almost universally using <i>"you Jew!"</i> as a mortal insult. The defacement of Jewish graves and monuments, or anti-Semitic graffiti, posters, and sports chants are far more common than they should be. It's difficult to understand if restrictions on free speech suppress the sentiments or make them worse, but at the very least, the success of the policies is not clear-cut.
</p>
<p>
Other civil liberties revered in the United States, and perhaps less so in Europe, put limits on the ability of the government to intrude into private lives through unwarranted searches and seizures. Of course, the stereotypical view of the US is that of a dystopian surveillance state, epitomized by the recent focus on warrantless surveillance or secret <a href='https://en.wikipedia.org/wiki/United_States_Foreign_Intelligence_Surveillance_Court'>FISA courts</a>. But having worked for a telecommunications company in Poland, my own sentiment is that in Europe, surveillance tends to be done with more impunity, far less legal oversight, and without clear delination between law enforcement and intelligence work. The intelligence community in particular is often engaged in domestic investigations against businesses, politicians, and journalists - and all across Europe, <a href='http://www.independent.co.uk/news/uk/politics/britain-is-too-tolerant-and-should-interfere-more-in-peoples-lives-says-david-cameron-10246517.html'>"pre-crime" policing ideas</a> are taking hold.
</p>
<p>
In many European countries, citizens are not afforded powerful tools such as <a href='https://en.wikipedia.org/wiki/Freedom_of_Information_Act_(United_States)'>FOIA requests</a>, do not benefit from a tradition of protected investigative journalism and whistleblowing, and can't work with influential organizations such as the American Civil Liberties Union; there is also no history of scandals nearly as dramatic and transformative as Watergate. In the States, I feel that all this helped to create an imperfect but precious balance between the needs of the government and the rights of the people - and instill higher ethical standards in the law enforcement and intelligence community; it is telling that the revelations from Snowden, while exposing phenomenal and somewhat frightening surveillance capabilities of the NSA, have not surfaced any evidence of politically-motivated investigations or other blatant impropriety in how the capabilities are being used by the agency. The individualist spirit probably helps here, too: quite a few states and municipalities go as far as banning traffic enforcement cameras because of how they rob suspects of the ability to face the accuser in court.
</p>
<p>
When it comes to some other civil traditions that are sacrosanct in Europe, the United States needs to face justified criticism. The harsh and overcrowded penal system treats some offenders unfairly; it is a product of populist sentiments influenced by the crime waves of the twentieth century and fueled by the dysfunctional War on Drugs. While Polish prisons may not be much better, some of the ideas implemented elsewhere in Europe seem to make a clear difference. They are difficult to adopt in the States chiefly because they do not fit the folksy "tough on crime" image that many American politicians take pride in.
</p>
<p>
In the same vein, police brutality, disproportionately faced by the poor and the minorities, is another black mark for individual rights. The death penalty, albeit infrequent and reserved for most heinous crimes, stands on shaky moral grounds - even if it faces <a href='http://www.gallup.com/poll/178790/americans-support-death-penalty-stable.aspx'>steady public support</a>. The indefinite detention and torture of terrorism suspects, with the knowledge and complicity of many other European states, deserves nothing but scorn. <a href='https://en.wikipedia.org/wiki/Civil_forfeiture_in_the_United_States'>Civil forfeiture</a> is a bizarre concept that seems to violate the spirit of the Fourth Amendment by applying unreasonably relaxed standards for certain types of seizures - although in all likelihood, its days are coming to an end.
</p>
<p>
As usual, the picture is complex and it's hard to declare the superiority of any single approach to individual liberties. Europe and the United States have much in common, but also differ in very interesting ways.
</p>
<p>
<div style='color: gray; border: 1px solid gray; padding : 1ex 2ex'>For the next article in the series, <a href='http://lcamtuf.blogspot.com/2015/06/poland-vs-united-states-friends.html'>click here</a>.</div>
</p>Michal Zalewskinoreply@blogger.com4